General Data Protection Regulation (GDPR)

What to expect from the GDPR readiness assessment

Share this post:

Is a mild sense of panic taking hold of some of your colleagues? The implementation of the long-awaited General Data Protection Regulation (or GDPR) is inching closer and closer, and discussions will invariably revolve around: “Where to start?”, “Where to go?”, “What will it cost?”.

If you attend any GDPR event, typically everyone, no matter if privacy expert, Chief Privacy Officer, consultant or software seller, will answer these questions with “Conduct an assessment and set up a roadmap”. Exceptions are people that are trying to sell you the one-and-only tool you need to be “GDPR compliant” which can easily lead to a silo approach missing essential components. Get your personalised guide to GDPR readiness here.

So, the answer is a ‘Readiness Assessment’? Sure. Sounds good. However, it also feels somewhat generic. What is the actual value of such an assessment?

Conducting a readiness assessment is a way to ensure that the right measures (both organizational and technical) are taken and to get an idea about their effectiveness. Moreover, the benefits of such an assessment are that the processing organization (no matter if they are a data controller or data processor) is able to demonstrate which data protection capabilities are in place and what their status is. See how the IBM Security GDPR Framework can help you prepare for May 25.

The readiness assessment should be more than a checklist stating which capabilities are implemented. It should also identify the quality of the measures. Typically, stakeholders from various departments contribute during a series of workshops. These cross-organizational discussions help identify existing data protection capabilities as well as residual risks across various attributes such as principles, policies, process, procedures, standards, architecture and technologies.

Two examples:

Example 1: The readiness assessment will check if the organization implements privacy control mechanisms such as Privacy Impact Assessments (PIA) to pro-actively build privacy into systems and programs. Say, the organization uses a formal PIA questionnaire that contains narrative questions and answers and trains their IT project leaders to use the assessment as part of the systems development life cycle. Now, if it’s just about ticking off boxes on a checklist, one could say that this helps address Article 35 of the GDPR (“Data protection impact assessment”). However, does it actually help getting privacy by design into the way of working? Looking a bit deeper into the organization might identify that while the measure is in place, it is difficult to manage the accumulation of assessment documents and that the organization incurs significant operational costs. Among the recommended tasks for improvement would be to design and implement a PIA tool to replace the narrative questionnaire and to train privacy officers in the conduct and facilitation of the Privacy Impact Assessment process. Get your Personalized GDPR To-Do List here.

Example 2: The readiness assessment will check if the organization implements incident response capabilities for the event of a data breach. Let’s take as an example an organization with a medium to low profile. It has identified specific scenarios and assigned roles and responsibilities accordingly, has an existing escalation process for incidents, a communications plan including notice process requirements (for customers, employees and the supervisory authority) and identified an incident mitigation process. While network and event monitoring with SIEM tooling is in place, the organization does not have a good view on database activities. An analysis might conclude that incident management scenarios are incomplete and that there are continued risks associated with the quality of incident management.

These examples illustrate that ticking off boxes won’t make an efficient data protection program. A careful analysis of the capabilities and remaining risks helps identify the necessary tasks to close the gaps. The budget owner gets a full view on both operational risks and benefits of implementing tasks to improve to a higher maturity level.

The roadmap resulting from such a readiness assessment marks the first step to change the mind set within the organization in a way that makes privacy by design an integral part of working.

For more information on our GDPR Readiness Assessment, contact us here or get further information about IBM’s GDPR approach and offerings in this paper.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

IBM Security Services Benelux

More General Data Protection Regulation (GDPR) stories

Een nieuwe telg in de mainframe wereld

Kenners weten het Althans een groot vermoeden leefde bij hen. Zo eens in de twee jaar gebeurt het. Een nieuwe telg in de mainframe wereld! En deze week, 12 september, is hij door IBM aangekondigd, het nieuwe systeem. Volledig in lijn met de verwachtingen kreeg het de naam: IBM Z15 de IBM Z15 Het nummer […]

Continue reading

Security Summit: zo ziet de cyberveiligheid van de toekomst eruit

  Het is tijd om de regels van cyberveiligheid drastisch te veranderen. De digitale wereld blijft innoveren, en dat maakt de kans op dreigingen en datalekken reëler. Tijdens IBM’s Security Summit geven beveiligingsexperten en andere veiligheidsprofessionals hun kijk op de nieuwe realiteit. Is jouw organisatie klaar voor een nieuwe denkwijze? Digitale veiligheid staat voor veel […]

Continue reading

Beleef je ergste dag in IBM’s mobiele cyber range

Stel je voor. Je huis staat in brand. Met veel misbaar komt de brandweerauto de straat binnen rijden en vijf mannen stappen uit. Ze dragen niet de kleren die je zou verwachten. Ook lijken ze niet echt haast te maken. En eenmaal bij de voordeur zeggen ze het volgende: “Goedenavond, ik ben Peter en ik […]

Continue reading