GDPR is now in full force

So is the hype over, or is the story only just beginning?

After literally hundreds of conversations with companies at differing stages of readiness for GDPR, we have seen a pattern emerge which reflects a three-phased approach for readiness over the next months and years. These observations come from all sectors - public, private and not-for-profit - and span most of the EU member states.

Phase 1. Getting across the line

For the majority of organisations, the main focus for the past months has been ‘getting across the line’: data mapping; privacy impact assessments; data protection impact assessments; Article 30 reporting; breach notifications and subject access requests; for example. With some notable exceptions, the GDPR compliance journey got off to a slow start. There was excessive reliance on spreadsheets and a lack of clarity surrounding the purpose of the exercise. A plethora of quick and dirty tools and ‘GDPR compliance in a day’ type services emerged. Organisations with spreadsheet-based approaches realised that they were grinding to a halt as the size of the task became apparent. But whilst some may think they have crossed the finishing line, 25th May is only the starting line. Which brings us onto the second phase…

Phase 2. Business as usual

or taking GDPR in your stride. Let’s assume you have done what it takes to get across the line and that you have a reasonable level of confidence in your readiness for GDPR. What did it take? How much did it cost? What about this year, next year and the years after that? If you haven’t already acquired or developed a tool to make GDPR BAU then now is the time to do so. One word of caution though – do it well, do it once!

Phase 3. Strategic direction

Once everything GDPR is running well and your organisation is operating normally again, what next? This phase may have its roots in phase 2, but now we are talking about truly integrating GDPR with everything else.

• Is my data protection for GDPR part of my overall protection?
• Can I merge my compliance with other standards, eg PSDII, ISO27001, PCI?
• Can I introduce continuous testing of controls?
• How do I risk assess mergers and acquisitions;
• gain competitive advantage from being ahead of the curve;
• or obtain cheaper cyber insurance premiums?

These and many other strategic drivers come into play for different organisations and they differ for each. If you need help to make GDPR business as usual then we will be pleased to hear from you.

Proteus-Cyber's Proteus® GDPReady™ software can help you:

• Perform enterprise wide online audits against the
  REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
• Guides you through the process with an integrated project plan
• Easily survey the business for processes using personal data
• Maintain a process/data mapping register (Article 30)
• Report your levels of compliance against the regulation
• Breach notification (Article 33)
• Identify non compliances and manage them with project plans
• Perform data privacy impact assessments (PIAa/DPIAs)
• Perform risk assessments against business processes with pre defined threats and vulnerabilities
• Cross reference your documents and controls against your business processes
• Graphically view your data flows across international borders
• Audit your 3rd party data processors and make sure those suppliers are protecting your data properly