At last, it’s time to flip the switch.

In our three most recent blog posts in this series, we’ve been leading up to this moment, discussing everything from assessing your current GDPR readiness situation and designing your approach to transforming your organization’s practices. And now we’re ready to talk about the Operationalize phase of the IBM Security GDPR framework.

Operationalizing Your GDPR Readiness Plan

If the prospect of putting all the gears in motion makes you a little apprehensive, you can rest assured you’re not alone. So take a few moments to think about everything you’ve accomplished up to this point in your GDPR readiness journey, and it’s likely you’ll realize that this is simply the next logical step in the process.

That said, I’d like to offer some suggestions to help make the transition go as smoothly and successfully as possible.


It may sound obvious, but you really do need to let everyone know what’s changing — and why. Try to keep your explanation as simple and straightforward as possible. And remind everyone that while you’ve tested and refined the processes and procedures as much as possible, there may still be a few glitches along the way. So let them know that their patience will be much appreciated.


Have a plan in place for keeping track of how everything is going. It’s one of the best ways to keep small problems from becoming big ones.


One obvious result of your monitoring is that you may need to change things here and there. But because you likely have already tested most of your new systems, processes and procedures (and you have been doing that, right?), we’re really talking about making fairly small adjustments here — and not significant changes.


It shouldn’t come as a surprise to learn that you’re going to need to track your GDPR program’s performance — and measure its success. Decide what you need to measure and then make sure you’re getting reliable (and verifiable) data. For example, you’ll probably want to track the number of:

  • Data protection officers you have in place;
  • People you’ve trained;
  • Data transfers you’ve completed;
  • Data subject access requests you’ve received and fulfilled; and
  • Breaches or incidents you’ve experienced (if any).

Having ready access to that information could be very helpful if regulators come knocking at your door. And one more thing: Remember to check in with your executive team to make sure they’re getting the metrics they need as well.


Whether you’re dealing with 1,000 data subjects or hundreds of thousands, we recommend creating a privacy management office to manage data governance and overall data use. Ideally, you should consider having a system in place for creating and tracking “unique person identifiers” that provide a single point of focus for any one of your data subjects. This can be managed by the privacy team, IT or a separate data protection team.

Accept Reality

What are the odds that the regulators will show up at your door? That’s an impossible question to answer. But I can venture an educated guess that many organizations won’t be fully GDPR-ready by May 25. Still, it makes sense to strive for as much readiness as you can muster.

One More Stop to Go on Your GDPR Readiness Journey

And remember that your GDPR journey doesn’t end here. The fifth and final phase of the IBM Security GDPR framework focuses on conforming, which includes effectively managing your controller/processor relationships and demonstrating that you’ve implemented technical and organizational measures to ensure that appropriate security controls are in place. We’ll be discussing those topics next.

In the meantime, learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at


Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read