February 5, 2018 By Adam Nelson 3 min read

At last, it’s time to flip the switch.

In our three most recent blog posts in this series, we’ve been leading up to this moment, discussing everything from assessing your current GDPR readiness situation and designing your approach to transforming your organization’s practices. And now we’re ready to talk about the Operationalize phase of the IBM Security GDPR framework.

Operationalizing Your GDPR Readiness Plan

If the prospect of putting all the gears in motion makes you a little apprehensive, you can rest assured you’re not alone. So take a few moments to think about everything you’ve accomplished up to this point in your GDPR readiness journey, and it’s likely you’ll realize that this is simply the next logical step in the process.

That said, I’d like to offer some suggestions to help make the transition go as smoothly and successfully as possible.


It may sound obvious, but you really do need to let everyone know what’s changing — and why. Try to keep your explanation as simple and straightforward as possible. And remind everyone that while you’ve tested and refined the processes and procedures as much as possible, there may still be a few glitches along the way. So let them know that their patience will be much appreciated.


Have a plan in place for keeping track of how everything is going. It’s one of the best ways to keep small problems from becoming big ones.


One obvious result of your monitoring is that you may need to change things here and there. But because you likely have already tested most of your new systems, processes and procedures (and you have been doing that, right?), we’re really talking about making fairly small adjustments here — and not significant changes.


It shouldn’t come as a surprise to learn that you’re going to need to track your GDPR program’s performance — and measure its success. Decide what you need to measure and then make sure you’re getting reliable (and verifiable) data. For example, you’ll probably want to track the number of:

  • Data protection officers you have in place;
  • People you’ve trained;
  • Data transfers you’ve completed;
  • Data subject access requests you’ve received and fulfilled; and
  • Breaches or incidents you’ve experienced (if any).

Having ready access to that information could be very helpful if regulators come knocking at your door. And one more thing: Remember to check in with your executive team to make sure they’re getting the metrics they need as well.


Whether you’re dealing with 1,000 data subjects or hundreds of thousands, we recommend creating a privacy management office to manage data governance and overall data use. Ideally, you should consider having a system in place for creating and tracking “unique person identifiers” that provide a single point of focus for any one of your data subjects. This can be managed by the privacy team, IT or a separate data protection team.

Accept Reality

What are the odds that the regulators will show up at your door? That’s an impossible question to answer. But I can venture an educated guess that many organizations won’t be fully GDPR-ready by May 25. Still, it makes sense to strive for as much readiness as you can muster.

One More Stop to Go on Your GDPR Readiness Journey

And remember that your GDPR journey doesn’t end here. The fifth and final phase of the IBM Security GDPR framework focuses on conforming, which includes effectively managing your controller/processor relationships and demonstrating that you’ve implemented technical and organizational measures to ensure that appropriate security controls are in place. We’ll be discussing those topics next.

In the meantime, learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at ibm.com/gdpr.


Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Data residency: What is it and why it is important?

3 min read - Data residency is a hot topic, especially for cloud data. The reason is multi-faceted, but the focus has been driven by the General Data Protection Regulation (GDPR), which governs information privacy in the European Union and the European Economic Area.The GDPR defines the requirement that users’ personal data and privacy be adequately protected by organizations that gather, process and store that data. After the GDPR rolled out, other countries such as Australia, Brazil, Canada, Japan, South Africa and the UAE…

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

Data security posture management vs cloud security posture management

4 min read - “A data breach has just occurred”, is a phrase no security professional wants to hear. From the CISO on down to the SOC analysts, a data breach is the definition of a very bad day. It can cause serious brand damage and financial loss for enterprises, lead to abrupt career changes among security professionals, and instill fear of financial or privacy loss for businesses and consumers.According to an ESG report, 55% of data and workloads currently run or operate in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today