At first glance, it may seem strange to be asking you where you are in your GDPR journey when enforcement for the regulation begins on May 25 — which is now less than 60 days away. After all, GDPR was approved way back in April 2016, and here at IBM we’ve been talking and blogging about it virtually ever since then.

Of course, we all know that there’s a huge difference between talking — or reading — about something and actually doing anything about it.

Last month, we discussed knowing whether you’re truly GDPR-ready. If you’ve already determined that you are ready, congratulations! But you might want to continue reading anyway just to see if there’s anything else you’d like to consider. But I’m guessing there are a lot of you who aren’t quite ready. And that’s why I started out today by asking where you are in your GDPR journey.

Getting Started

Yogi Berra once famously said, “If you don’t know where you’re going, you might not get there.” What’s that got to do with GDPR? Well, it’s pretty hard to get started if you don’t know what your obligations are or where your gaps are lurking. So I strongly suggest that you start with a readiness assessment. It offers a structured approach to developing a maturity assessment, gap analysis and road map that can help you see what’s most important and jump-start your efforts.

You can also take advantage of the readiness assessment for further guidance on managing your ongoing GDPR program and recommendations for additional services as you move forward. Remember, managing GDPR needs to be an ongoing, sustainable program.

In a hurry? You can start with an online self-assessment that allows you to answer a series of questions about what you’ve done so far and provides you with a customized list of the steps you can take next. What’s more, you can take advantage of an accelerator to help you identify your organization’s personal data, determine where it resides and begin to assess the security risks associated with that data.

Gaining Traction

I’ve heard many stories of well-intentioned but time-pressed security teams attempting to use spreadsheets to manage their GDPR record-keeping activities. As most of them soon discovered, spreadsheets just don’t offer a sustainable solution. Those spreadsheets aren’t always kept up to date and they’re not capable of managing or measuring risks. But the critical data protection program from IBM can help you identify and define your most valuable data, perform gap analyses, monitor your security framework, analyze and classify the most important aspects of your information, and create a risk remediation plan.

And using a data risk manager can help you identify and stop potential risks to personal data and sensitive business data that may impact business processes, operations and your competitive position. The overview page of IBM Data Risk Manager displays a world map showing the locations of your data assets so you can actually see where your important information resides. It can also help with GDPR data transfer requirements as you move information from one place to another.

In addition, GDPR mandates that you be ready to take action when the need arises. Let’s say that one of your key data sources that is known to contain large quantities of personal data has generated multiple alerts. At this stage, it’s important to quickly identify your risks and take the appropriate steps to address them. One critical area of risk involves user access — weighing the difference between who has access against who needs access. It’s good practice to regularly review access rights to both data and applications using purpose-built tools and make sure you have recertification campaigns in place. That will help you identify and mitigate situations in which an individual may have moved to another department, for example, and no longer needs access to that data.

Everyone involved should know who has responsibility for what. And you need to confirm that those who are responsible are the ones who should be responsible. Because having a policy in place is great — as long as you’ve actually put it into practice.


Up until now, we’ve been talking primarily about the processes for managing and protecting your data. But what if, despite your best efforts, something goes wrong? Incident response is a critical part of GDPR requirements, since you’ll need to be able to meet that 72-hour breach notification deadline. And it seems to me that people aren’t paying as much attention to this as they should.

At the same time, you might also want to consider establishing key performance indicators for incident response — and then set up tests and drills to “practice” meeting them.

Identity management is also critical at this point because GDPR readiness isn’t just about data-related risks — it’s also about who has access to your data. So you need to have repeatable, regular mitigation processes in place — before you have an incident on your hands. In fact, identity is important across the board. Think about data subject access requests (DSARs) and the increased risk of fraud, for example. An individual could pretend to be someone else, go to a website and gain access to all of that “someone else’s” medical information. If it’s all in one place, a single password can let someone download it all with one click. That’s why multifactor authentication is so important. Is your organization thinking about these issues? It seems to me that many aren’t.

And finally, don’t forget about those who handle your data outside your company. Are all the necessary contracts in place regarding your organization’s data processors and their obligations? Do they have regular processes in place to make sure they’re following all the applicable procedures? Your GDPR program management office should be in charge of creating and maintaining a sustainable structure.

Now that I’ve outlined the things you may still need to do, I want to assure you that it is all doable. Just consider how you can leverage tools and processes you already have and add capabilities where you need them. I’ve seen plenty of organizations go through the process from beginning to end — and they’ve all survived to talk about it. There’s plenty of help available along your journey. Just remember to stop and ask for directions.


Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…