June 5, 2018 By Leslie Wiggins 4 min read

A May 2018 report by the IBM Institute for Business Value found that only 36 percent of surveyed executives believed they’d be fully compliant with the General Data Protection Regulation (GDPR) by the May 25 enforcement date. The GDPR, intending to improve data privacy for data subjects from the European Union (EU), has set a new standard for data privacy worldwide while sparking speculation, self-examination and organizational overhauls for security, privacy and compliance teams in the EU and beyond.

And for some organizations, this has caused a good deal of panic.

GDPR Enforcement in Full Effect

According to The New Yorker, the GDPR is “the most contested law in the E.U.’s history,” a statement illustrating just how impactful (and potentially disruptive) many believe GDPR enforcement will be. It’s perceived, however, that showing signs of progress toward full compliance may be enough to stay afloat for now. Though fines for GDPR noncompliance can reach as high as 20 million euros — or up to 4 percent of annual worldwide turnover — some believe it’s unlikely, according to GDPR.Report, that repercussions will reach this level of magnitude in the majority of cases, as long as efforts have been made in good faith to take steps toward compliance.

Staying afloat isn’t sustainable forever, though, and organizations still need to continue ongoing efforts toward compliance and maintain those levels once they’ve been reached. The May 25 date was by no means the end of the activity around GDPR compliance — it’s only the beginning of a much longer journey.

What can we potentially offer to the 64 percent of GDPR executives who didn’t think they’d be fully ready by the enforcement date — and more importantly, to the 18 percent who (at the time of the report) hadn’t even begun GDPR preparations?

A GDPR Framework

First and foremost, IBM Security offers a GDPR framework, providing a holistic approach to help organizations prepare for and meet GDPR requirements. The framework outlines requirements around both privacy (the controls within an organization around how personal or regulated information is collected, used and shared) and security (the technical safeguards to ensure data confidentiality, integrity and availability). It spans five phases: assess, design, transform, operate and conform.

With a regulation as monumental as the GDPR, simply jumping in without a plan won’t yield positive results. Identifying a framework to follow is a critical element of preparedness.

IBM Security Guardium Analyzer

Second, we offer a more practical suggestion: Think big, start small and deliver fast. One way to do this is to leverage software-as-a-service (SaaS) offerings that enable teams to immediately start taking the steps outlined in IBM Security’s GDPR framework.

To support these efforts, IBM Security announced the IBM Security Guardium Analyzer today, a SaaS offering that maps to the first step in the GDPR framework by helping organizations efficiently assess security and compliance risk associated with GDPR personal data and create a prioritized action plan. By combining advanced classification and risk-based vulnerability assessment, Guardium Analyzer identifies the cloud and on-premises databases most likely at risk under a GDPR-oriented audit — so you can take the right steps to minimize your risk.

The technology offers key capabilities, including encrypted connectivity to cloud and on-premises databases, next-generation classification using pre-built, IBM-provided data patterns or customized user-provided patterns, vulnerability assessments and risk scoring, which helps administrators prioritize vulnerable databases based on the amount of sensitive data they contain and that data’s level of sensitivity. Advanced filtering and sorting — along with intuitive, shareable dashboards that enable visual progress tracking and reporting — contribute to ease of use, a crucial element in the face of this complex regulation.

Guardium Analyzer helps organizations get a running start on their GDPR journey with a SaaS offering purpose-built for discovering, classifying and assessing the vulnerability of personal data. Remember: Even with the May 25 date behind us, these are needs organizations will have to continue addressing well beyond this initial enforcement period if they want to maintain compliance and continue building a strong data protection program.

The Transformative Power of the GDPR

Moving forward, the GDPR may even serve as a catalyst to spark greater innovation throughout security programs worldwide. According to the IBM report, 39 percent of surveyed executives saw the GDPR as a chance to transform security, privacy and data management efforts – with 91 percent agreeing that the GDPR will enable more trusted relationships with clients and new business opportunities. If these responses are any indication of what’s to come, then we have yet to see the transformative power of the GDPR.

The Data Protection Officer’s Playbook for GDPR

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today