Carla Arend (Lead analyst European Cloud Research )

With the GDPR deadline of 25 May 2018 fast approaching, will you be compliant when the regulators come knocking? It could be close: while 43% of organizations surveyed by IDC believe they will be ready in May this  year, almost the same number (40%) are not sure that they will make it in time. That’s a lot of organizations taking what could be a big risk.

Hopefully, your GDPR journey is well underway, because it’s only when you start your GDPR journey that you realize how complex a task it is – and how it affects all aspects of the organizations, from top to bottom. Management and support is critical, but so is employee awareness and training, process mapping and improvements to technology. It’s all about getting an overview of your data landscape – and managing data tightly.

Here are 6 critical things that are critical for GDPR compliance:

  • Identify personal data in your organization, map which applications and workflows are using it, and where it lives. Make sure you include cloud services and externally hosted data and applications!
  • Then, conduct a Privacy Impact assessment to understand the risks associated with the data you are using.
  • Carefully document your meetings and decisions, to prove you are taking GDPR compliance seriously and you’re on the right track. You also need to document your understanding of state-of-the-art technologies and why you chose the technology you implemented.
  • Start auditing your suppliers, to make sure you don’t have a weak link in your supply chain. Create a questionnaire that you send out – and document the answers.
  • Create an incident response plan including a communications plan, so that you know exactly what to do, when – not if! you have a data breach. Yes, it will happen, and you have
  • to be ready for it. This will enable you to meet the 72-hour notification deadline and to avoid reputational damage – and possible financial penalties.
  • Create a strong consent management process.
    If you want to use personal data, you need to articulate the use cases very clearly, and get clear consent for each use case. When the use case expires, you must delete the data.

If you’d like to know more about IDC’s research on GDPR and cloud, contact Carla Arend (


***Please note that IDC does not provide legal advice***