Countdown to GDPR: are you ready to create opportunity from change?

By Steve Norledge

How much do you know about the personal data your business gathers? This subject is likely to be high on your to-do list right now, not least because the new General Data Protection Regulation (GDPR) is just around the corner: companies must be compliant by 25 May 2018 or risk hefty fines. But only 40% have started compliance efforts in the UK so far with 15% of UK IT pros saying they have no plans to prepare for the GDPR in the next 12 months at all, according to recent survey from Spiceworks(1).

Are you confident in your organisation’s ability to adapt to GDPR?

Download and read 'IBM's Pathways to GDPR Readiness' white paper.

Designed to give individuals more control of their personal data, GDPR essentially brings data protection regulation up to date with a world in which we are all sharing more and more information – knowingly or not – through social media, personalised apps and location-tracking technology. Many people currently have no idea how much of their own data is being processed by corporations, why, and what the consequences might be.

The weight of the coming regulation falls heavily on the CIO because the way technology is implemented has a significant impact on how data can be managed and protected. But it cuts through every part of the organisation – from governance and processes to security and customer and vendor engagement.

Far from seeing the upcoming shifts as a burden, CIOs should approach them as an opportunity: to both improve their brand value in the marketplace and to improve their business value by making operational improvements.

Grabbing the opportunities

A recent survey by KPMG(2) discovered that although attitudes to privacy vary depending on the data type, usage and consumer location, on average 56% of respondents felt “concerned” or “extremely concerned” about how companies were using their personal data. That's a shocking statistic when we consider how important trust is to building brand equity; smart CIOs will grasp this opportunity to build that trust.

The topic of privacy and data protection is getting hotter by the day, and individuals’ expectations of how their data is treated is set to rise. Companies who can go beyond the basics to create intuitive, elegant and engaging ways to talk to customers about their data can build trust in their brand. Trust can translate into customer retention and acquisition and, ultimately, top-line growth.

On a practical level, the inevitable upheaval to cross-business policies and processes ahead of May 2018 bring with them opportunities to do some housekeeping – to create operational efficiencies and address potentially costly security risks that the business may have been putting off for years.

Taking action

With only one budgetary cycle between now and May 2018, most CIOs will have a reasonable grasp of the task ahead. But many are yet to act. If it feels overwhelming, the following three steps can help to focus your plans:

  1. Get a clear view of how your current policies compare with the requirements of GDPR. You may find you have some good foundational capabilities, as well as many gaps. Assess the risk level of each gap, then choose to focus your resources on the highest-risk areas.
  2. Understand the lifecycle of the personal data you currently manage. How is personal data gathered? Where is it stored? How is it processed? What is the legal basis for that processing? This is particularly important for unstructured data, which is often a grey area but is still subject to GDPR.
  3. Create a program to fix the priority gaps identified in step 1, potentially building in plans to address Consent or automate responses to Data Subject Access Requests from individuals, which GDPR requires within 30 days per request. Put yourself in your customers’ shoes: how would you like the business to communicate with you?

Sharing the load

CIOs can’t tackle all this alone; they must get the business on board and excited about the potential opportunities that will follow a smart approach to GDPR. CIOs may want to get recognition and sponsorship at the board level first and foremost, then establish a steering committee that cut across the entire organisation to include legal, HR, a data protection officer, the people who manage and benefit from the data, IT and security.

The cost and effort required will vary from company to company, depending on your starting point. The key thing is to approach the changes in a practical – and optimistic – way, and not to try to fix everything at once.

With its deep heritage helping companies to transform their operations, IBM is perfectly positioned to help CIOs address their level of readiness and design an effective GDPR program. IBM can help map the data lifecycle and design programs to change the way organisations interact with individuals, and recommend GDPR-compliant technologies that manage, govern and protect an individual’s data.

Are you confident in your organisation’s ability to adapt to GDPR?

Download and read 'IBM's Pathways to GDPR Readiness' white paper.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.


1. Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine, 27th June 2017

2. Crossing the line: Staying on the right side of consumer privacy. KPMG, January 2017.