Are we there yet? Or, more to the point, are you there yet?

Wait — which “there” are we talking about? Unless you’ve been hiding under a rock for the past year, you probably know that I’m talking about GDPR readiness. It’s likely you also know that GDPR enforcement begins on May 25 — which is less than 90 days away.

Over the past six months, Adam Nelson and I have been blogging about GDPR readiness. We’ve discussed the downside of procrastinating, the thinking behind the IBM Security GDPR framework, assessing your current GDPR readiness situation, designing your approach to transforming your organization’s practices and operationalizing your GDPR readiness plan. So it’s likely you have at least some idea by now about how to get there.

View IBM Security’s interactive guide to GDPR readiness

But how do you know if you’re actually there? When Adam wrote last month about operationalizing your GDPR readiness plan, he discussed the process of putting a plan into action. Once you’ve done that, you’re on your way to being ready to demonstrate that you’re doing all the things that GDPR says you need to do. In other words, being “there” means being able to show that you’re conforming with the regulation.

We’re talking about being able to provide evidence that you’re doing what you said you would do. For example, you should be ready to:

  • Prove that you’re observing data subject rights, and showing reports of the actual requests and proof of how and when they were fulfilled.
  • Show records of processing that illustrate how and where you obtained personal data and how it was handled throughout its life cycle — including how you disposed of it.
  • Offer evidence that you conducted a data protection impact assessment (DPIA) — which is required in cases where there is a high risk to the rights and freedoms of the data subject, but is additionally recommended as a best practice for all.

Proving Your GDPR Readiness

Once you’ve checked those boxes, you should also be prepared to prove your GDPR readiness as needed. It’s possible others may log complaints against your organization just to get you to show them your processes. Fortunately, IBM Security Guardium Vulnerability Assessment can help you in that area. It provides prepackaged tools, such as prebuilt templates for GDPR-specific groups, GDPR-specific policies and GDPR reports, all based on the IBM Security GDPR Framework. And IBM Guardium GDPR Accelerator can help you track and provide detailed audit trails on data subject access requests such as access to personal data and data rectification, erasure or transfer.

You should have some type of security reference architecture in place so you can show how you implement policies and put them into practice. And you will want to be able to show how you log incident response and reveal what your patching processes look like. In addition, implementing a security immune system can help provide a more holistic view of security threats by integrating threat information from a variety of sources and infusing analytics. You may also want to consider taking advantage of artificial intelligence (AI) to help augment security expertise.

Because GDPR is designed primarily to improve data privacy, you’ll notice that the larger fines apply to privacy violations. These include violating basic principles for processing under Articles 5, 6, 7 and 9, data subjects’ rights under Articles 12 through 22, and transfer of personal data to a recipient in a third country under Articles 44 through 49. That means you might want to pay extra-special attention to data subject access trails, data subject access requests and incident response. In fact, I’ve noticed that many organizations aren’t as focused on incident response as they should be, which could turn out to be a big mistake. For help in that area, you can check out the IBM Resilient Security Orchestration, Automation, and Response (SOAR) Platform, which offers a GDPR-specific template.

And let’s not forget about your vendors. Have they provided you with information about where they process their data, who touches it, and what technical and organizational measures (TOMs) they use? What’s more, have you told them what you require? You may want to take this opportunity to look over your vendor contracts to determine whether any of them need to be updated to include GDPR-related concerns.

It’s Not Too Late to Create a Sustainable GDPR Plan

Of course, I realize that some of you reading this may not be anywhere close to “there” yet. But while there’s not a lot of time left to get all the pieces in place, there is still time to put some key policies in place and create a sustainable program that you can build on. You can learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at ibm.com/gdpr.

View IBM Security’s interactive guide to GDPR readiness

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today