With less than two months remaining until the May 25th deadline, organizations should be well on their way towards General Data Protection Regulation (GDPR) compliance. Privacy\u2019s \u201cnew normal\u201d will require you to demonstrate, on an ongoing basis, how you collect, use, retain, disclose and destroy personal information in line with the new GDPR requirements.\nThis has a significant impact to the IT organization, as the custodian of this information, and is a significant transformational activity for your organization going forward. Those who cannot show compliance with the principles of GDPR by the deadline may face fines up to four percent of global turnover.\nIt\u2019s important to have a \u201cregulator ready\u201d mindset as you start the process of addressing each nuanced point of GDPR\u2019s 99 articles. Your organization needs a structured, risk-based approach to introducing iterative change in line with GDPR requirements and privacy principles, and my goal here is to help simplify this approach.\nGDPR compliance will be an ongoing effort of adopting guidelines, operationalizing privacy compliance and eventually optimizing and getting value from your processes. However, on May 25, you must be able to present a minimal viable product to EU regulators, customers and vendors. We call these your \u201cday one\u201d capabilities, which include:\n\nan active and engaged Privacy Governance Model\na drafted and piloted Record of Processing Activities\na data Protection Impact Assessment (DPIA) workflow that addresses the prior-to-processing tenet of GDPR\nan assigned and onboarded data protection officer\ndata subject right processes and assignments in place\nupdated procurement standards, templates, addendums, etc.\na project management office methodology to align with the Privacy Program\nan updated privacy intranet portal with intuitive use cases and helpful FAQs\nboard and committee awareness and messaging\na risk-aligned privacy compliance roadmap dictating what further efforts need to be rolled out\n\nWhile the above may look like an \u201calphabet soup\u201d of regulatory speak, the good news for CIOs is that other parts of the business (chief privacy officers, legal, human resources, etc.) play leadership roles in this program as well. However, as with all transformation efforts, IT plays a major part in helping to identify sources or locations for all personal information in scope (data discovery), implementing safeguards to protect the information in accordance with requirements across the entire data lifecycle from creation through destruction (data protection) and developing systems or workflows to facilitate compliance and reporting activities (efficient compliance).\nA strong partnership between the IT function and the business will facilitate the race to GDPR compliance in May, but in many ways, \u00a0it is just the start. Throughout the rest of 2018 and into 2019, your organization should go beyond simply complying with GDPR and start operationalizing privacy compliance and related change across their business processes. These \u201cday two\u201d capabilities, as we call them, include:\n\nthe rollout of a compliance roadmap of all activities required to maintain GDPR in alignment with business risk\/complexity\na record of processing activities updates\nupdates to the impact of security and data protection controls based on lessons learned\nprocurement and contractual updates\nvendor privacy risk management improvements\ndocumentation of any interaction with regulators in the event of an inquiry\nIT and IT security process and safeguard enhancements\nstandard operating procedure build and implementation\nan employee training and awareness campaign\nprivacy governance and compliance reporting\n\nAs we move through 2019 and into 2020 and GDPR compliance becomes the norm, your organization must start optimizing privacy compliance. Business and IT partners should work to introduce self-service, on-demand privacy compliance processes and tools that facilitate governance and reporting, and should consider the following actions:\n\nconverging cyber and privacy responsibilities to move to a comprehensive and unified data protection agenda\nimplementing improved data protection tools\noptimizing enterprise risk management methodology and related key performance indicators and reporting\ninforming employees, vendors, and customers of your improved and compliant GDPR capabilities\n\nComplying with GDPR is just the first step. As your organization moves forward, creating an agile GDPR program founded on privacy principles will allow for easy modifications of the program in the face of changing privacy laws. With the right tools and an organization that understands how to use them properly, your organization will realize value from its GDPR program.