The long-awaited EU General Data Protection Regulation (GDPR) is only a few months away and for many organizations, there still is a big question over how best to begin a GDPR preparation campaign and what key areas to focus on. Up until now, organizations have not addressed their data protection and privacy vulnerabilities in a consistent way. However, the arrival of the GDPR places a much higher importance on visibly protecting confidential information, significantly greater requirements that need to be met and much stricter penalties should an organization experience a breach.

This new regulation is certainly complex and will have profound impacts on your business as most organizations will be accountable for the personal data they hold on EU Citizens.

IMG has identified the top 5 organizational challenges facing most companies on the path to GDPR compliance, and the steps required to efficiently address them and meet the data protection-by-design and by-default requirements ahead of May 2018 deadline.


The GDPR will surely affect all aspects of business, but arguably the biggest change is around accountability, which cannot be bolted on and needs to be a part of organizations’ overall systems approach to how they manage and process personal data.

The main challenge is in situations where there used to be very little to no interaction between departments, cross-functional collaboration will be essential to affect data protection initiatives on a corporate-wide level. This means a change to the culture and mindset of organizations which will have to demonstrate an accountability and transparency in all decisions regarding personal data processing activities.


The GDPR expands the definition of personal data well beyond what has traditionally been viewed as part of the scope of as Personally Identifiable Information, incorporating a broader scope of personal data to include any data that could be used to identify an individual. The GDPR has also tightened up the rules around the ‘intent’ for the data since organizations will now need to demonstrate an ability to understand and show what the data is being used for. Most importantly, there will be a need to demonstrate that adequate controls are in place to ensure that the data will only be used for the purpose it was collected for. In practice, this means more discipline around metadata management will be required.

The result of these changes implies an increased scope of compliance requirements for businesses and in-depth analysis of business processes to establish whether data is personal and therefore applicable to the GDPR. As of today, our research suggests that most companies do not have the appropriate processes and tools to perform such analysis.


The GDPR should not be viewed as a single big effort to be ‘ready’ by May 2018. Data protection in the scope of the GDPR and beyond requires an ongoing effort, as it will become an integral part of both the technological development as well as the organization structure of a new product/service.

Prioritizing work for most organizations will be crucial as it is not possible to tackle everything at once, nor should you want to. And, in the so-called ‘Age of Big Data’ in which companies regularly collect and analyze vast amounts of data, getting to grips with GDPR can be daunting and consequently it can be difficult to know where to start. For organizations with limited visibility into the finer points of sensitive data processing, the build-up to the May 2018 deadline could present a stressful period for compliance leaders’ and the wider business.


Not only do organizations have to comply with the GDPR, they will also be required to demonstrate compliance by proving that all the requirements have been analyzed in relation to their processing of personal data. Most important of all is the need to have implemented a demonstrable system that facilitates GDPR compliance.

It is worth noting that there is 'no one size fits all’ approach to demonstrating compliance and how an organization demonstrates it will depend on various factors such as the personal data processed, how and why personal data is being processed, and the risks to the rights and freedoms of individuals when their data is processed.

Compliance leaders should also be able to generate up-to-date, comprehensive and accessible information records to stakeholders and to avoid delays and fines.


Article 25 of the GDPR codifies both the concepts of Privacy-by-Design and Privacy-by-Default.

Privacy-by-Design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. In practice, the IT department must ensure that privacy is built into a system during the whole life cycle of the system or process. Privacy-by-Default means that once a product/service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user.

In today’s fast-paced and ever-changing world, projects can often be quickly implemented with little knowledge of processes and systems they interact with. If integrated earlier in the development process, appropriate tools could also help in exposing data privacy risks in the product/service design phase, and provides visibility to achieve data privacy-by-design and by-default.


Rest assured, the success of your GDPR compliance also lies in the way these 5 organizational challenges are addressed. The ball is now rolling, act now before it really becomes too late!