Are we there yet? Or, more to the point, are you there yet?

Wait — which “there” are we talking about? Unless you’ve been hiding under a rock for the past year, you probably know that I’m talking about GDPR readiness. It’s likely you also know that GDPR enforcement begins on May 25 — which is less than 90 days away.

Over the past six months, Adam Nelson and I have been blogging about GDPR readiness. We’ve discussed the downside of procrastinating, the thinking behind the IBM Security GDPR framework, assessing your current GDPR readiness situation, designing your approach to transforming your organization’s practices and operationalizing your GDPR readiness plan. So it’s likely you have at least some idea by now about how to get there.

View IBM Security’s interactive guide to GDPR readiness

But how do you know if you’re actually there? When Adam wrote last month about operationalizing your GDPR readiness plan, he discussed the process of putting a plan into action. Once you’ve done that, you’re on your way to being ready to demonstrate that you’re doing all the things that GDPR says you need to do. In other words, being “there” means being able to show that you’re conforming with the regulation.

We’re talking about being able to provide evidence that you’re doing what you said you would do. For example, you should be ready to:

  • Prove that you’re observing data subject rights, and showing reports of the actual requests and proof of how and when they were fulfilled.
  • Show records of processing that illustrate how and where you obtained personal data and how it was handled throughout its life cycle — including how you disposed of it.
  • Offer evidence that you conducted a data protection impact assessment (DPIA) — which is required in cases where there is a high risk to the rights and freedoms of the data subject, but is additionally recommended as a best practice for all.

Proving Your GDPR Readiness

Once you’ve checked those boxes, you should also be prepared to prove your GDPR readiness as needed. It’s possible others may log complaints against your organization just to get you to show them your processes. Fortunately, IBM Security Guardium Vulnerability Assessment can help you in that area. It provides prepackaged tools, such as prebuilt templates for GDPR-specific groups, GDPR-specific policies and GDPR reports, all based on the IBM Security GDPR Framework. And IBM Guardium GDPR Accelerator can help you track and provide detailed audit trails on data subject access requests such as access to personal data and data rectification, erasure or transfer.

You should have some type of security reference architecture in place so you can show how you implement policies and put them into practice. And you will want to be able to show how you log incident response and reveal what your patching processes look like. In addition, implementing a security immune system can help provide a more holistic view of security threats by integrating threat information from a variety of sources and infusing analytics. You may also want to consider taking advantage of artificial intelligence (AI) to help augment security expertise.

Because GDPR is designed primarily to improve data privacy, you’ll notice that the larger fines apply to privacy violations. These include violating basic principles for processing under Articles 5, 6, 7 and 9, data subjects’ rights under Articles 12 through 22, and transfer of personal data to a recipient in a third country under Articles 44 through 49. That means you might want to pay extra-special attention to data subject access trails, data subject access requests and incident response. In fact, I’ve noticed that many organizations aren’t as focused on incident response as they should be, which could turn out to be a big mistake. For help in that area, you can check out the IBM Resilient Security Orchestration, Automation, and Response (SOAR) Platform, which offers a GDPR-specific template.

And let’s not forget about your vendors. Have they provided you with information about where they process their data, who touches it, and what technical and organizational measures (TOMs) they use? What’s more, have you told them what you require? You may want to take this opportunity to look over your vendor contracts to determine whether any of them need to be updated to include GDPR-related concerns.

It’s Not Too Late to Create a Sustainable GDPR Plan

Of course, I realize that some of you reading this may not be anywhere close to “there” yet. But while there’s not a lot of time left to get all the pieces in place, there is still time to put some key policies in place and create a sustainable program that you can build on. You can learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at ibm.com/gdpr.

View IBM Security’s interactive guide to GDPR readiness

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today