Are we there yet? Or, more to the point, are you there yet?

Wait — which “there” are we talking about? Unless you’ve been hiding under a rock for the past year, you probably know that I’m talking about GDPR readiness. It’s likely you also know that GDPR enforcement begins on May 25 — which is less than 90 days away.

Over the past six months, Adam Nelson and I have been blogging about GDPR readiness. We’ve discussed the downside of procrastinating, the thinking behind the IBM Security GDPR framework, assessing your current GDPR readiness situation, designing your approach to transforming your organization’s practices and operationalizing your GDPR readiness plan. So it’s likely you have at least some idea by now about how to get there.

View IBM Security’s interactive guide to GDPR readiness

But how do you know if you’re actually there? When Adam wrote last month about operationalizing your GDPR readiness plan, he discussed the process of putting a plan into action. Once you’ve done that, you’re on your way to being ready to demonstrate that you’re doing all the things that GDPR says you need to do. In other words, being “there” means being able to show that you’re conforming with the regulation.

We’re talking about being able to provide evidence that you’re doing what you said you would do. For example, you should be ready to:

  • Prove that you’re observing data subject rights, and showing reports of the actual requests and proof of how and when they were fulfilled.
  • Show records of processing that illustrate how and where you obtained personal data and how it was handled throughout its life cycle — including how you disposed of it.
  • Offer evidence that you conducted a data protection impact assessment (DPIA) — which is required in cases where there is a high risk to the rights and freedoms of the data subject, but is additionally recommended as a best practice for all.

Proving Your GDPR Readiness

Once you’ve checked those boxes, you should also be prepared to prove your GDPR readiness as needed. It’s possible others may log complaints against your organization just to get you to show them your processes. Fortunately, IBM Security Guardium Vulnerability Assessment can help you in that area. It provides prepackaged tools, such as prebuilt templates for GDPR-specific groups, GDPR-specific policies and GDPR reports, all based on the IBM Security GDPR Framework. And IBM Guardium GDPR Accelerator can help you track and provide detailed audit trails on data subject access requests such as access to personal data and data rectification, erasure or transfer.

You should have some type of security reference architecture in place so you can show how you implement policies and put them into practice. And you will want to be able to show how you log incident response and reveal what your patching processes look like. In addition, implementing a security immune system can help provide a more holistic view of security threats by integrating threat information from a variety of sources and infusing analytics. You may also want to consider taking advantage of artificial intelligence (AI) to help augment security expertise.

Because GDPR is designed primarily to improve data privacy, you’ll notice that the larger fines apply to privacy violations. These include violating basic principles for processing under Articles 5, 6, 7 and 9, data subjects’ rights under Articles 12 through 22, and transfer of personal data to a recipient in a third country under Articles 44 through 49. That means you might want to pay extra-special attention to data subject access trails, data subject access requests and incident response. In fact, I’ve noticed that many organizations aren’t as focused on incident response as they should be, which could turn out to be a big mistake. For help in that area, you can check out the IBM Resilient Security Orchestration, Automation, and Response (SOAR) Platform, which offers a GDPR-specific template.

And let’s not forget about your vendors. Have they provided you with information about where they process their data, who touches it, and what technical and organizational measures (TOMs) they use? What’s more, have you told them what you require? You may want to take this opportunity to look over your vendor contracts to determine whether any of them need to be updated to include GDPR-related concerns.

It’s Not Too Late to Create a Sustainable GDPR Plan

Of course, I realize that some of you reading this may not be anywhere close to “there” yet. But while there’s not a lot of time left to get all the pieces in place, there is still time to put some key policies in place and create a sustainable program that you can build on. You can learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at ibm.com/gdpr.

View IBM Security’s interactive guide to GDPR readiness

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

3 proven use cases for AI in preventative cybersecurity

3 min read - IBM’s Cost of a Data Breach Report 2024 highlights a ground-breaking finding: The application of AI-powered automation in prevention has saved organizations an average of $2.2 million.Enterprises have been using AI for years in detection, investigation and response. However, as attack surfaces expand, security leaders must adopt a more proactive stance.Here are three ways how AI is helping to make that possible:1. Attack surface management: Proactive defense with AIIncreased complexity and interconnectedness are a growing headache for security teams, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today