What to expect from the GDPR readiness assessment

Share this post:

Is a mild sense of panic taking hold of some of your colleagues? The implementation of the long-awaited General Data Protection Regulation (or GDPR) is inching closer and closer, and discussions will invariably revolve around: “Where to start?”, “Where to go?”, “What will it cost?”.

If you attend any GDPR event, typically everyone, no matter if privacy expert, Chief Privacy Officer, consultant or software seller, will answer these questions with “Conduct an assessment and set up a roadmap”. Exceptions are people that are trying to sell you the one-and-only tool you need to be “GDPR compliant” which can easily lead to a silo approach missing essential components. Get your personalised guide to GDPR readiness here.

So, the answer is a ‘Readiness Assessment’? Sure. Sounds good. However, it also feels somewhat generic. What is the actual value of such an assessment?

Conducting a readiness assessment is a way to ensure that the right measures (both organizational and technical) are taken and to get an idea about their effectiveness. Moreover, the benefits of such an assessment are that the processing organization (no matter if they are a data controller or data processor) is able to demonstrate which data protection capabilities are in place and what their status is. See how the IBM Security GDPR Framework can help you prepare for May 25.

The readiness assessment should be more than a checklist stating which capabilities are implemented. It should also identify the quality of the measures. Typically, stakeholders from various departments contribute during a series of workshops. These cross-organizational discussions help identify existing data protection capabilities as well as residual risks across various attributes such as principles, policies, process, procedures, standards, architecture and technologies.

Two examples:

Example 1: The readiness assessment will check if the organization implements privacy control mechanisms such as Privacy Impact Assessments (PIA) to pro-actively build privacy into systems and programs. Say, the organization uses a formal PIA questionnaire that contains narrative questions and answers and trains their IT project leaders to use the assessment as part of the systems development life cycle. Now, if it’s just about ticking off boxes on a checklist, one could say that this helps address Article 35 of the GDPR (“Data protection impact assessment”). However, does it actually help getting privacy by design into the way of working? Looking a bit deeper into the organization might identify that while the measure is in place, it is difficult to manage the accumulation of assessment documents and that the organization incurs significant operational costs. Among the recommended tasks for improvement would be to design and implement a PIA tool to replace the narrative questionnaire and to train privacy officers in the conduct and facilitation of the Privacy Impact Assessment process. Get your Personalized GDPR To-Do List here.

Example 2: The readiness assessment will check if the organization implements incident response capabilities for the event of a data breach. Let’s take as an example an organization with a medium to low profile. It has identified specific scenarios and assigned roles and responsibilities accordingly, has an existing escalation process for incidents, a communications plan including notice process requirements (for customers, employees and the supervisory authority) and identified an incident mitigation process. While network and event monitoring with SIEM tooling is in place, the organization does not have a good view on database activities. An analysis might conclude that incident management scenarios are incomplete and that there are continued risks associated with the quality of incident management.

These examples illustrate that ticking off boxes won’t make an efficient data protection program. A careful analysis of the capabilities and remaining risks helps identify the necessary tasks to close the gaps. The budget owner gets a full view on both operational risks and benefits of implementing tasks to improve to a higher maturity level.

The roadmap resulting from such a readiness assessment marks the first step to change the mind set within the organization in a way that makes privacy by design an integral part of working.

For more information on our GDPR Readiness Assessment, contact us here or get further information about IBM’s GDPR approach and offerings in this paper.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

IBM Security Services Benelux

More stories

Datagovernance is fundamenteel voor een intelligente overheid

  Overheden zijn bij uitstek in de positie om flinke slagen te maken met het slim gebruiken van data. Denk aan proactieve en snelle communicatie met de burger, smart cities, geoptimaliseerde vervoersstromen en geavanceerd watermanagement. Nu de behoefte groeit aan het delen van data over de keten staan bestuurders voor een uitdaging: bepalen van de […]

Continue reading

Implementatie van de AVG begint met een gedegen assessment

Sinds 25 mei jongstleden is de Algemene Verordening Gegevensbescherming (AVG) van kracht, de nieuwe privacywet waaraan organisaties moeten voldoen. Recentelijk hebben we bedrijven in verschillende sectoren geholpen met de voorbereiding op de AVG-wetgeving. Daarbij hebben we ons met name gericht op het uitvoeren van privacy impact assessments. Het geven van advies over de te nemen technische en […]

Continue reading

GDPR regulation drives new mind shift

From cost-driven to a risk & value-driven approach We now all know it’s coming in less than a year. Still, the new GDPR regulation is keeping many executives awake at night. Non-compliance may lead to significant fines of up to 20 million euro of 4% or the total annual worldwide turnover, whichever is higher. But […]

Continue reading