GDPR has finally arrived, but the implementation date is only the beginning of the compliance journey, as Enza Iannopollo, a Forrester analyst on the security and risk team, tells CIO UK.\n"Probably we expect about 50% of firms globally to be ready for compliance in time for May 25. However, we have to keep in mind that this is not a deadline," says Iannopollo, a\u00a0Certified Information Privacy Professional (CIPP\/E).\n"This is only the beginning of the story. We assume that it will be a work in progress, even for companies that might be ready today, because building compliance within processes and making sure you do that on an ongoing basis will always be partially a work in progress. We don't expect to see a final stage of compliance. That wouldn't work for this kind of world."\nFines grab the headlines\nThe threat of fines of up to \u20ac20 million or 4% of annual turnover has caught the eye of CIOs.\n"I think it's going to be an interesting couple of years for us all, and a bit of a roller coaster at times," AEG CIO David Jones told CIO UK. "People will have understood something one way, and actually it will turn out the regulator's interpreting it another way, and we'll be rushing around to catch up with that.\nRead next: How CIOs are preparing for GDPR\n"I think we're all hoping the ICO will go after the likes of Google and Facebook first rather than smaller organisations, and that will help set some sort of case law."\nInformation\u00a0Commissioner\u00a0Elizabeth\u00a0Denham describedthe implications as "the biggest change to data protection law for a generation" but most current data practices are being strengthened rather than overturned.\n"I think we are going to see enforcement action. I think the regulators will set a few examples to start with. They want to be perceived as strict with these rules."\nIannopollo expects the regulators to set a few examples to demonstrate their willingness to enforce the rules once evidence arrives of breaches.\nHowever, the nature of the enforcement action will depend on the infringement, and organisations will be given the chance to demonstrate their efforts to comply.\n"This doesn't mean that we expect something to happen at end of the May," she says. "Of course regulatory action will take time and investigations take time and there will be an opportunity for organisations to provide evidence of their compliance strategies."\nSteps to compliance\nA GDPR compliance plan will ideally comprise representatives of legal, IT and HR\u00a0and support from staff from other departments.\n"The organisation has to work in a way that is compliant with GDPR, and this means that technology processes will need to be changed to make sure that you can maintain this compliance all the time," says\u00a0Iannopollo.\n"The first point that I usually make is to make GDPR operational, and the second point is CIOs need to understand how ready their organisation is, because being an executive of a company today means that they're responsible for the security and privacy of their organisation, and we know that the consequences of breaching these rules, or in general of privacy and security breaches, are enormous for these executives. It's not just the fine; it's the reputation and the profitability of the company."\nData needs to be identified and tracked on an ongoing basis, with particular care taken with sensitive information.\u00a0All this data should be documented along with the purpose for its use, the location where it's stored, and the names of anyone who has access to it.\nProcedures\u00a0should be in place\u00a0to manage any data processing. Current practices may no longer be sufficient, as GDPR includes a number of new or strengthened data subject rights. The new list of individual rights reads as follows:\nThe right to be informed\nThe right of access\nThe right to rectification\nThe right to erase\nThe right to restrict\u00a0processing\nThe right to data portability\nThe right to object\nRights in relation to automated decision making and profiling\n\nOrganisations should continue to evaluate their current data governance practices, and document the lawful basis for any processing. Any aspects that are now inadequate should be updated as required. Take note of how data flows across international borders.\nBe careful to ensure that any children's data is used appropriately and that all consent is still suitable, as the requirements for both have been significantly strengthened.\nThe ICO provides a number of data protection self-assessment toolkits to help organisations\u00a0check their GDPR readiness.\nRaising awareness and skills\nMany organisations will need to appoint a Data Protection Officer (DPO). The role is mandatory for processing done by a public authority,\u00a0core activities involve large-scale regular and systematic monitoring of data subjects on a large scale, or processing of personal data and relating to criminal convictions and offences.\nAppointing a designated individual as responsible for GDPR is a wise move whether or not a DPO is obligatory, but responsibility for compliance runs throughout the organisation. Raise awareness of the implications through company-wide training sessions on an ongoing basis.\nTo ensure Yodel is compliant with GDPR, CIO Adam Gerrard has been auditing\u00a0the company's use of data. The training provided to his team has made him confident that preparations are on course for compliance.\n"My data protection specialist is already trained up," Gerrard told CIO UK. "I have a great IT cyber specialist who is fully up to speed with it and understands the concerns in that space as well. So the two of them are going through with a fine-tooth comb; all our data sources, all our applications - what does this mean for us?"\nRead next: EU GDPR - What, when, why and how? A CIO roadmap to getting ready for GDPR\n"I think we've got the right kind of rigour, and I think we understand the process we need to get through. There are a lot of areas of working, and that's just on the technology side. A lot of people forget that data protection isn't just about what's stored on the systems.\n"Fortunately my team are smart enough to know this and are out there, looking at all the different processes that could potentially have personal information written down as well as stored."\nAwareness needs to be raised throughout the organisations. The leadership team should set the example for the rest of their colleagues.\n"There's quite a lot of due diligence to be done in most businesses," says Jones. "So it's definitely a focus for us, and there's a little joint working group between the information security director, myself and a couple of key people from our legal team in Europe as well."\nGDPR compliance tools\nRegtech software can help with GDPR preparations. There are a number of GDPR readiness tools already on the market, from new products to updates to solutions already on the market.\nSyrenis Preference Centre collates and managers consumer preferences in single hub hosted in the cloud that lets companies and customers directly manage their preferences.\nEvidon's Universal Consent Platform provides a single transparency and consent platform across platforms, and lets users mange new data subject rights in a simple interface.\nTealium iQ Tag Managementis a tag management system (TMS) that offers visibility into the collection and usage of customer data through a single view of information from every source. It offers user control and an audit trail of actions.\nRead next: How CIOs are preparing for GDPR\nEgnytelets users identify and classify personally identifiable information (PII)\u00a0across both cloud and on-premises repositories, and offers alerts of any activity that may need to be reported.\nThe\u00a0MyLife Digital Consentric\u00a0Platform gives a single view of permissions across the business and management of the legal justifications for data processing, while Experian has rolled out a free GDPR Maturity Self-Assessment tool.\nEven existing office solutions can help in preparations. Databases, spreadsheets, collaboration tools document management systems and project management tools all provide their own ways to monitor and control data processing, but they will likely need support from other tools and staff throughout the organisation.\nEmbrace the GDPR opportunity\nGDPR compliance can feel like a lot of work, but the regulation is also a business opportunity.\nAdhering to the rules is a good way to gain trust from customers and employees, and a chance to differentiate your business from the competition.\nIannopollo\u00a0advises CIOs to use GDPR\u00a0as an opportunity to make privacy a key topic for the executive team and use compliance to embed data protection in strategy. They can also research the expectations of their customers to support their evolving demands.\n"This is not something for the compliance or legal office," she says. "This is broader. This is an organisational effort to improve business operations and strategies overall. I like to see GDPR as this opportunity rather than this punitive tool that now regulators are going to use against companies."