How to take the complexity out of GDPR?

Share this post:

Ever heard the old Chinese story of the blind men and the elephant that came to their town? Each checks out a different part of the animal, resulting in very different impressions of what they’re actually dealing with. A man with good eyesight takes them to feel the whole animal, making them realize that in fact it comprises many different parts. So what does this have to do with the new General Data Protection Regulation (GDPR) that’s heading our way? And how do we avoid being trampled by it?

Like the elephant in the story, GDPR is more than ‘just’ information security, data governance or training employees. Download the infographics for the 5 key obligations. It is complex and far-reaching legislation, comprising many components that touch organizations in numerous ways and at all levels. A comprehensive approach is required, taking all of its aspects into consideration. The assessment we developed can be a great help with that, whether your company has already begun tackling GDPR or is preparing its first moves.

The main goal of the assessment is to create a road map to prepare your organization for GDPR, looking at the five main areas of attention to determine what needs to be done. These areas are governance, people and communication, processes, data and security. The focus should be on where your company´s biggest risks are and to be sure to address these issues first – ensuring that you meet the respective GDPR requirements by May 2018. Other less prominent issues will be tackled further along the way, to be finalized in the course of 2018.

The assessment begins with determining the main GDPR stakeholders in your organization per key area of attention. This is done together with the person responsible for data privacy in your organization (you may even already have a special data privacy officer in place). These stakeholders might be: representatives of the HR department, for communication, training and personnel data; of the marketing department, for protecting your brand and your customer data; and of the IT department, for security issues. Interviews and workshops will be planned with all of these people.

Checklists and accelerators ensure the effectiveness of the sessions. We developed materials like an overview of all GDPR requirements and measures, a list of all types of personal data, but also ready-to-use agendas to be customized for the different participants in the interviews or workshops.

This way things that could take weeks can be handled more quickly. During the workshops the GDPR requirements are weighed against the processes, norms and values of your company in a structured manner. The gaps and priorities found will lay the foundation for your roadmap.

There are two versions of the assessment. We call the first one ‘speed week’. This assessment takes just one week and is intended for companies which already have a GDPR compliance plan in place. Together we will look at your roadmap to determine how complete it is. This will result in recommendations on how to realize your goals, speed-up the process and increase your chance of success. The other version, the full assessment, takes four to six weeks, depending on the number of stakeholders involved. It will address all five key areas and GDPR requirements. Both types of assessment will lead to a practical roadmap, in a short period of time, drawn-up in close co-operation with your internal stakeholders and owned by your data privacy officer or designated individual.

Returning to the elephant at the start of my story: once you know what it looks like and what parts it comprises, you can decide on the best approach. Just for your references download 5 key GDPR obligations. Our assessment can help you do that, step by step and in a structured way. Interested? Just send an email to Alessio Civran.

IBM nominated as ICT service supplier – Computable Awards 2017

Privacy issues are changing and the new legislation is leading. In May 2018, the new GDPR legislation will become effective, with new requirements for processing and processing personal data. IBM is one of the largest data processors and has acquired the necessary knowledge with previous privacy laws. It has resulted in a GDPR-specific architecture framework that IBM offers as a service. The main purpose of the GDPR assessment is a roadmap that prepares an organization for this GDPR legislation and to test risk factors in the organization of the client.

The complete jury report (in Dutch)

Vote for ICT service supplier of the year – IBM – Computable Awards 2017!

Note: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.  The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability.  IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.