Are we there yet? Or, more to the point, are you there yet?

Wait — which “there” are we talking about? Unless you’ve been hiding under a rock for the past year, you probably know that I’m talking about GDPR readiness. It’s likely you also know that GDPR enforcement begins on May 25 — which is less than 90 days away.

Over the past six months, Adam Nelson and I have been blogging about GDPR readiness. We’ve discussed the downside of procrastinating, the thinking behind the IBM Security GDPR framework, assessing your current GDPR readiness situation, designing your approach to transforming your organization’s practices and operationalizing your GDPR readiness plan. So it’s likely you have at least some idea by now about how to get there.

View IBM Security’s interactive guide to GDPR readiness

But how do you know if you’re actually there? When Adam wrote last month about operationalizing your GDPR readiness plan, he discussed the process of putting a plan into action. Once you’ve done that, you’re on your way to being ready to demonstrate that you’re doing all the things that GDPR says you need to do. In other words, being “there” means being able to show that you’re conforming with the regulation.

We’re talking about being able to provide evidence that you’re doing what you said you would do. For example, you should be ready to:

  • Prove that you’re observing data subject rights, and showing reports of the actual requests and proof of how and when they were fulfilled.
  • Show records of processing that illustrate how and where you obtained personal data and how it was handled throughout its life cycle — including how you disposed of it.
  • Offer evidence that you conducted a data protection impact assessment (DPIA) — which is required in cases where there is a high risk to the rights and freedoms of the data subject, but is additionally recommended as a best practice for all.

Proving Your GDPR Readiness

Once you’ve checked those boxes, you should also be prepared to prove your GDPR readiness as needed. It’s possible others may log complaints against your organization just to get you to show them your processes. Fortunately, IBM Security Guardium Vulnerability Assessment can help you in that area. It provides prepackaged tools, such as prebuilt templates for GDPR-specific groups, GDPR-specific policies and GDPR reports, all based on the IBM Security GDPR Framework. And IBM Guardium GDPR Accelerator can help you track and provide detailed audit trails on data subject access requests such as access to personal data and data rectification, erasure or transfer.

You should have some type of security reference architecture in place so you can show how you implement policies and put them into practice. And you will want to be able to show how you log incident response and reveal what your patching processes look like. In addition, implementing a security immune system can help provide a more holistic view of security threats by integrating threat information from a variety of sources and infusing analytics. You may also want to consider taking advantage of artificial intelligence (AI) to help augment security expertise.

Because GDPR is designed primarily to improve data privacy, you’ll notice that the larger fines apply to privacy violations. These include violating basic principles for processing under Articles 5, 6, 7 and 9, data subjects’ rights under Articles 12 through 22, and transfer of personal data to a recipient in a third country under Articles 44 through 49. That means you might want to pay extra-special attention to data subject access trails, data subject access requests and incident response. In fact, I’ve noticed that many organizations aren’t as focused on incident response as they should be, which could turn out to be a big mistake. For help in that area, you can check out the IBM Resilient Security Orchestration, Automation, and Response (SOAR) Platform, which offers a GDPR-specific template.

And let’s not forget about your vendors. Have they provided you with information about where they process their data, who touches it, and what technical and organizational measures (TOMs) they use? What’s more, have you told them what you require? You may want to take this opportunity to look over your vendor contracts to determine whether any of them need to be updated to include GDPR-related concerns.

It’s Not Too Late to Create a Sustainable GDPR Plan

Of course, I realize that some of you reading this may not be anywhere close to “there” yet. But while there’s not a lot of time left to get all the pieces in place, there is still time to put some key policies in place and create a sustainable program that you can build on. You can learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at

View IBM Security’s interactive guide to GDPR readiness

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read