What to expect from the GDPR readiness assessment

Share this post:

Is a mild sense of panic taking hold of some of your colleagues? The implementation of the long-awaited General Data Protection Regulation (or GDPR) is inching closer and closer, and discussions will invariably revolve around: “Where to start?”, “Where to go?”, “What will it cost?”

If you attend any GDPR event, typically everyone, no matter if privacy expert, Chief Privacy Officer, consultant or software seller, will answer these questions with “Conduct an assessment and set up a roadmap”. Exceptions are people that are trying to sell you the one-and-only tool you need to be “GDPR compliant” which can easily lead to a silo approach missing essential components. Learn more about user access points and compliance risks.

So, the answer is a ‘Readiness Assessment’? Sure. Sounds good. However, it also feels somewhat generic. What is the actual value of such an assessment?

Conducting a readiness assessment is a way to ensure that the right measures (both organizational and technical) are taken and to get an idea about their effectiveness. Moreover, the benefits of such an assessment are that the processing organization (no matter if they are a data controller or data processor) is able to demonstrate which data protection capabilities are in place and what their status is. Read here about the key implications of GDPR.

The readiness assessment should be more than a checklist stating which capabilities are implemented. It should also identify the quality of the measures. Typically, stakeholders from various departments contribute during a series of workshops. These cross-organizational discussions help identify existing data protection capabilities as well as residual risks across various attributes such as principles, policies, process, procedures, standards, architecture and technologies.

Two examples:

Example 1: The readiness assessment will check if the organization implements privacy control mechanisms such as Privacy Impact Assessments (PIA) to pro-actively build privacy into systems and programs. Say, the organization uses a formal PIA questionnaire that contains narrative questions and answers and trains their IT project leaders to use the assessment as part of the systems development life cycle. Now, if it’s just about ticking off boxes on a checklist, one could say that this helps address Article 35 of the GDPR (“Data protection impact assessment”). However, does it actually help getting privacy by design into the way of working? Looking a bit deeper into the organization might identify that while the measure is in place, it is difficult to manage the accumulation of assessment documents and that the organization incurs significant operational costs. Among the recommended tasks for improvement would be to design and implement a PIA tool to replace the narrative questionnaire and to train privacy officers in the conduct and facilitation of the Privacy Impact Assessment process. Read two data security case studies here.

Example 2: The readiness assessment will check if the organization implements incident response capabilities for the event of a data breach. Let’s take as an example an organization with a medium to low profile. It has identified specific scenarios and assigned roles and responsibilities accordingly, has an existing escalation process for incidents, a communications plan including notice process requirements (for customers, employees and the supervisory authority) and identified an incident mitigation process. While network and event monitoring with SIEM tooling is in place, the organization does not have a good view on database activities. An analysis might conclude that incident management scenarios are incomplete and that there are continued risks associated with the quality of incident management.

These examples illustrate that ticking off boxes won’t make an efficient data protection program. A careful analysis of the capabilities and remaining risks helps identify the necessary tasks to close the gaps. The budget owner gets a full view on both operational risks and benefits of implementing tasks to improve to a higher maturity level.

The roadmap resulting from such a readiness assessment marks the first step to change the mind set within the organization in a way that makes privacy by design an integral part of working.

For more information on our GDPR Readiness Assessment, contact us here or get further information about IBM’s offerings here: The GDPR: It’s coming -and sooner than you think. Are you prepared?

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.