Top 4 things that an organization needs to do when getting ready for GDPR


Christer Jansson

October 12, 2017

EU General Data Protection Regulation (GDPR) compliance is a huge topic, embracing legal, technology, process, strategy, and marketing. The data protection component is just one part of the bigger picture. As an IT organization, Capgemini isn’t in the business of auditing or providing legal advice on your GDPR position. Instead, we are one of the few companies with an end-to-end portfolio of services and solutions that give clients the practical capacity to manage and safeguard their data in line with GDPR requirements.

During the journey to adhere to GDPR, many organizations stumble on some challenges and difficulties knowing how to “prove” that personal data is protected. The four things that organizations need to do is:

  • Transform their governance and practices (new roles and processes)
  • Protect both structured and unstructured data all along their life cycle
  • Detect and notify your data breaches and leaks (report within 72 hours)
  • Reduce IT (and security) costs (by, for example, deploying digital/cloud services, relying on global/trusted partners)

Capgemini has experience and knowledge to help clients through their journey towards GDPR, where we already have lessons learned for most challenges and difficulties one may encounter. We know how we can assist and advise any organization that struggles to find the way to provide evidence that is consistent with the GDPR requirements. According to the regulation, unlike a directive, it does not require any legislation to be passed by a national government, meaning it will be in force May 2018, regardless if any of the European nations are ready or not. Let us dig in deeper on the four things all organizations must do:

Transform your governance and practices  

Even though the GDPR is all about protecting personal data, it will also affect the way we will perform in compare to how we work today. Since GDPR was approved and adopted by the EU Parliament in April 2016, not much has happen in regards to organizational changes to current governance and practices. In some organizations, a DPO (data protection officer) has been appointed, merely in a false belief that “now we have someone in place so we should be good.” In fact, it does not necessarily mean a DPO is needed.

According to GDPR requirements, a DPO must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37).  If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO but I would advise all larger organizations to evaluate the benefits of having one focal that truly understand GDPR and the business impact a breach would have. Governance can be performed automatically with ,where CRO (chief risk officer) or, someone in a similar role such as HOC (head of compliance), can have 24/7 access to current status of the organization’s adherence to GDPR in form of an online dash board, to help the DPO.

Protect both structured and unstructured data

Information gathered and stored is (usually) classified as either structured on unstructured. The earlier form is the data stored in fields in a database and the latter is normally written in the form of eight different ways; e-mail messages, word processing documents, videos, photos, audio files, presentations, webpages, and any other kinds of business documents. Even while these sorts of files may have an internal structure, they are still considered “unstructured” because the data they contain doesn’t fit neatly in a database.

In addition to structured and unstructured data, there’s also a third category: semi-structured data. Semi-structured data is information that doesn’t reside in a relational database but that does have some organizational properties that make it easier to analyze. Examples of semi-structured data might include XML documents and No-SQL databases.

The structured data is mostly protected by encryption with clear separation of access based on “need-to-know” and clear ownership and delegation of encryption keys. The unstructured (and semi-structured) however, since it is harder to discover, does not have the same rigorous protection. The way forward to ensure structured, semi-structured and unstructured data is managed in adherence to data protection laws, an organization’s best way to manage them is through different software tools. Example: of software tools include:

Big data tools—Software like Hadoop can process store of both unstructured and structured data that are extremely large, very complex and changing rapidly.

Business intelligence software—Also known as BI, business intelligence is a broad category of analytics, data mining, dashboards and reporting tools that help companies make sense of their structured and unstructured data for the purpose of making better business decisions.

Data integration tools—These tools combine data from disparate sources so that they can be viewed or analyzed from a single application. They sometimes include the capability to unify structured and unstructured data.

Document management systems—Also called enterprise content management systems, a DMS can track, store and share unstructured data that is saved in the form of document files.

Information management solutions—This type of software tracks structured and unstructured enterprise data throughout its lifecycle.

Search and indexing tools—These tools retrieve information from unstructured data files such as documents, web pages and photo.

Detect and notify your data breaches and leaks

A change towards new technologies, as I briefed above, will also change the overall governance and how we practice compliance inside organizations. It will enable the organization to print and save time stamp of GDPR adherence and, it will also enable any organization to detect and report (within 72hrs), any breach “that may pose a risk to individuals,” something that clearly is a needed evidence in order to meet the intent in the new regulation. Be the key in order to enable any organization to detect and report data breach in an effective way however, but resilience is also dependent on people/staff. To train them in handling data breach in time. In conclusion, changing the way we work is not only a recommendation, it is a crucial must and, “resistance is fugitive.”

Reduce IT (and security) costs

Each organization needs to, after initial data assessments, make a strategic decision to what data they need to keep collecting and storing, what data is irrelevant for the organization and no longer needed, and to discover where data resides, before they can choose the software tool that best fit the organization’s data protection needs. The less data needed, the lower the cost will be for processing, storing, detection, management, governance, and erasure of the organization’s information data.

Capgemini helps clients to reduce IT (and security) costs by our strong cybersecurity divisions of more than 3,000 cybersecurity specialists, including architects, assessors, specialists in security, forensic and data protection, where we consult each organization to define the ideal aspect and choice of tools, to ensure the best ROI (return of investment). We have the capabilities and partnerships with the world’s best service provider for protection sensitive data for any organization, small, medium, large, regional or global-sized.

Follow the link to find details about GDPR and references. For further discussions, please reach out by leaving a comment in form below and we will contact you shortly.

This article was written by Christer Jansson from CapGemini Blog and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter