Why It’s So Hard to Design Something Simple

In our previous blog post, Adam Nelson and I suggested that you set aside time with other people in your organization and familiarize yourselves with General Data Protection Regulation (GDPR) and its requirements. Have you done that yet? Don’t be embarrassed to admit that you haven’t. Because either way, there’s a good chance you’ve already figured out that those requirements can get pretty complicated.

That’s what I was thinking last year when we set out to find a way to help organizations like yours understand what GDPR is all about. I’ve got to be honest here. After reading the 261 pages of regulations over and over and consulting numerous legal writings, it didn’t take long for me to realize that there was nothing simple about it.


Creating something simple can be incredibly difficult. No news there, right? It’s rumored that over 500 years ago, Leonardo da Vinci observed that “simplicity is the ultimate sophistication.”

For starters, while the regulation has a lot to say about what you need to do, it doesn’t tell you how to do any of those things. So I started doing my homework. I consulted with numerous colleagues. I read reports, explored use cases, shared ideas, and we argued with one another (just a little).

All along, I held onto the idea that whatever we created had to be simple. That meant no complicated, multidimensional matrices or giant reference architecture charts no one could understand. In the end, we agreed there would be no lists of what to do or what to buy to become GDPR-ready, because no one product could possibly do that.

A Simple Framework for Your GDPR Journey

Instead, I returned to the idea of keeping things simple. I preached it over and over. After at least a dozen iterations, I finally came to develop a five-phase framework that addresses both privacy and security, approaching GDPR as a journey on which some organizations might be just starting, while others would be further along. We also decided that this wouldn’t be meant as a readiness assessment checklist. And we didn’t want it to focus exclusively on IBM.

The framework acknowledges that every organization will have its own needs to consider. We also knew from the outset that no two organizations would likely be starting at the same place. Its simplicity allows you to “jump in” at whichever point is appropriate for you.

Where do you begin? That’s a question we asked ourselves more than once. In fact, we found ourselves asking it a lot. The first thing we decided was that each of the framework’s five phases had to address both privacy and security issues — because GDPR requires organizations to ensure both. And right there, things got complicated, since it can sometimes be hard to distinguish between the two.

So we needed to nail down the definitions. Here’s the result: Privacy is all about the policies and practices that dictate what data you collect and why you manage, share, process and move it around. And security is all about how you control and protect that data. Here’s another way to think about it: You can have security without privacy, but you can’t have privacy without security.

Looking at the five phases of the IBM GDPR security framework, it’s pretty easy to see how all the pieces fit together. But I can assure you that there was a lot of discussion about what should happen when and where. So we began at what logic told us was the beginning.

In Phase 1, you assess your situation. You figure out which of the data you collect and store is covered by GDPR regulations, and then you plot a course to discover it.

Phase 2 is where you design your approach. You need to come up with a solid plan for data collection, use and storage. And you need to develop an architecture and strategy that will balance risks and business objectives.

Your goal in Phase 3 is to transform your practices, understanding that the data you deem valuable to your organization is equally valuable to the people it represents. This is where you need to develop a sustainable privacy compliance program, implement security and governance controls (TOMs — Technical and Organizational Measures) and potentially appoint a Data Protection Officer.

By the time you get to Phase 4, you’re ready to operate your program. Now you’re continually inspecting your data, monitoring personal data access, testing your security, using privacy and security by design principles and purging unneeded data.

And Phase 5 — the final phase — is where you’re ready to conform with the necessary GDPR requirements. Now you’re fulfilling data subject requests for access, correction, erasure and transfer. You’re also prepared for audits with documentation of your activities and ready to inform regulators and data subjects in the event of a data breach.

A Direct Approach to GDPR Readiness

The good news is that, since I created the framework, we have adopted and expanded it to create the overall IBM GDPR Framework, which adds further details such as a simplified capability architecture that includes information governance and a set of pathways to help you get started across your organization.

So there you have it: a direct approach to GDPR readiness. The journey itself may not always be easy, but the path should be clearer. Yes, there’s a lot going on in each of those five phases. And yes, you may need help along the way. But that’s what we’re here to offer. Learn more about how IBM Security can help you navigate the journey to GDPR readiness here.


Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.


More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…