Light Dark
February 5, 2018 By Adam Nelson 3 min read
Data Protection

At last, it’s time to flip the switch.

In our three most recent blog posts in this series, we’ve been leading up to this moment, discussing everything from assessing your current GDPR readiness situation and designing your approach to transforming your organization’s practices. And now we’re ready to talk about the Operationalize phase of the IBM Security GDPR framework.

Operationalizing Your GDPR Readiness Plan

If the prospect of putting all the gears in motion makes you a little apprehensive, you can rest assured you’re not alone. So take a few moments to think about everything you’ve accomplished up to this point in your GDPR readiness journey, and it’s likely you’ll realize that this is simply the next logical step in the process.

That said, I’d like to offer some suggestions to help make the transition go as smoothly and successfully as possible.

Communicate

It may sound obvious, but you really do need to let everyone know what’s changing — and why. Try to keep your explanation as simple and straightforward as possible. And remind everyone that while you’ve tested and refined the processes and procedures as much as possible, there may still be a few glitches along the way. So let them know that their patience will be much appreciated.

Monitor

Have a plan in place for keeping track of how everything is going. It’s one of the best ways to keep small problems from becoming big ones.

Adjust

One obvious result of your monitoring is that you may need to change things here and there. But because you likely have already tested most of your new systems, processes and procedures (and you have been doing that, right?), we’re really talking about making fairly small adjustments here — and not significant changes.

Measure

It shouldn’t come as a surprise to learn that you’re going to need to track your GDPR program’s performance — and measure its success. Decide what you need to measure and then make sure you’re getting reliable (and verifiable) data. For example, you’ll probably want to track the number of:

  • Data protection officers you have in place;
  • People you’ve trained;
  • Data transfers you’ve completed;
  • Data subject access requests you’ve received and fulfilled; and
  • Breaches or incidents you’ve experienced (if any).

Having ready access to that information could be very helpful if regulators come knocking at your door. And one more thing: Remember to check in with your executive team to make sure they’re getting the metrics they need as well.

Manage

Whether you’re dealing with 1,000 data subjects or hundreds of thousands, we recommend creating a privacy management office to manage data governance and overall data use. Ideally, you should consider having a system in place for creating and tracking “unique person identifiers” that provide a single point of focus for any one of your data subjects. This can be managed by the privacy team, IT or a separate data protection team.

Accept Reality

What are the odds that the regulators will show up at your door? That’s an impossible question to answer. But I can venture an educated guess that many organizations won’t be fully GDPR-ready by May 25. Still, it makes sense to strive for as much readiness as you can muster.

One More Stop to Go on Your GDPR Readiness Journey

And remember that your GDPR journey doesn’t end here. The fifth and final phase of the IBM Security GDPR framework focuses on conforming, which includes effectively managing your controller/processor relationships and demonstrating that you’ve implemented technical and organizational measures to ensure that appropriate security controls are in place. We’ll be discussing those topics next.

In the meantime, learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at ibm.com/gdpr.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

 |  |  |  |  | 
Adam Nelson
Associate Partner, IBM Security Services

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature