Share this post:

Is a mild sense of panic taking hold of some of your colleagues? The implementation of the long-awaited General Data Protection Regulation (or GDPR) is inching closer and closer, and discussions will invariably revolve around: “Where to start?”, “Where to go?”, “What will it cost?”

If you attend any GDPR event, typically everyone, no matter if privacy expert, Chief Privacy Officer, consultant or software seller, will answer these questions with “Conduct an assessment and set up a roadmap”. Exceptions are people that are trying to sell you the one-and-only tool you need to be “GDPR compliant” which can easily lead to a silo approach missing essential components. Learn more about user access points and compliance risks.

So, the answer is a ‘Readiness Assessment’? Sure. Sounds good. However, it also feels somewhat generic. What is the actual value of such an assessment?

Conducting a readiness assessment is a way to ensure that the right measures (both organizational and technical) are taken and to get an idea about their effectiveness. Moreover, the benefits of such an assessment are that the processing organization (no matter if they are a data controller or data processor) is able to demonstrate which data protection capabilities are in place and what their status is. Read here about the key implications of GDPR.

The readiness assessment should be more than a checklist stating which capabilities are implemented. It should also identify the quality of the measures. Typically, stakeholders from various departments contribute during a series of workshops. These cross-organizational discussions help identify existing data protection capabilities as well as residual risks across various attributes such as principles, policies, process, procedures, standards, architecture and technologies.

Two examples:

Example 1: The readiness assessment will check if the organization implements privacy control mechanisms such as Privacy Impact Assessments (PIA) to pro-actively build privacy into systems and programs. Say, the organization uses a formal PIA questionnaire that contains narrative questions and answers and trains their IT project leaders to use the assessment as part of the systems development life cycle. Now, if it’s just about ticking off boxes on a checklist, one could say that this helps address Article 35 of the GDPR (“Data protection impact assessment”). However, does it actually help getting privacy by design into the way of working? Looking a bit deeper into the organization might identify that while the measure is in place, it is difficult to manage the accumulation of assessment documents and that the organization incurs significant operational costs. Among the recommended tasks for improvement would be to design and implement a PIA tool to replace the narrative questionnaire and to train privacy officers in the conduct and facilitation of the Privacy Impact Assessment process. Read two data security case studies here.

Example 2: The readiness assessment will check if the organization implements incident response capabilities for the event of a data breach. Let’s take as an example an organization with a medium to low profile. It has identified specific scenarios and assigned roles and responsibilities accordingly, has an existing escalation process for incidents, a communications plan including notice process requirements (for customers, employees and the supervisory authority) and identified an incident mitigation process. While network and event monitoring with SIEM tooling is in place, the organization does not have a good view on database activities. An analysis might conclude that incident management scenarios are incomplete and that there are continued risks associated with the quality of incident management.

These examples illustrate that ticking off boxes won’t make an efficient data protection program. A careful analysis of the capabilities and remaining risks helps identify the necessary tasks to close the gaps. The budget owner gets a full view on both operational risks and benefits of implementing tasks to improve to a higher maturity level.

The roadmap resulting from such a readiness assessment marks the first step to change the mind set within the organization in a way that makes privacy by design an integral part of working.

For more information on our GDPR Readiness Assessment, contact us here or get further information about IBM’s offerings here: The GDPR: It’s coming -and sooner than you think. Are you prepared?

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

IBM Security Services Benelux

More General Data Protection Regulation (GDPR) stories

What can we learn in the Benelux from the current data breach trends?

  Never before was the impact of cybercrime as large as in 2021. The average cost of a data breach, for example, increased by 10 percent compared to last year, according to the 2021 edition of IBM’ s annual Cost of a Data Breach Report. What are the most striking findings in this report? And […]

Continue reading

How Crelan will use AI and machine learning to monitor and detect online fraudulent transactions

How Crelan will use artificial intelligence and machine learning to monitor and detect online fraudulent transactions

Continue reading

Close the gap in the protection of your employees at home and in the office

IBM partners Proofpoint and CrowdStrike integrate best-of-breed e-mail and endpoint security More and more people are working remotely. This results in extra security risks, as also shown from the figures: 92% of all malware on a business network comes in via e-mail. How can you protect your employees against this? Watch the webinar  to find […]

Continue reading