Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Top Stories > Kickstarting GDPR compliance (if you didn’t quite make the deadline)

Kickstarting GDPR compliance (if you didn’t quite make the deadline)

Published by Gbaf News

Posted on June 5, 2018

10 min read

Last updated: January 21, 2026

Graph illustrating growth of the Health Caregiving Market to USD 521.61 billion by 2032 - Global Banking & Finance Review — An informative graph depicting the projected growth of the Health Caregiving Market from USD 233.02 billion in 2025 to USD 521.61 billion by 2032, highlighting a CAGR of 12.2%. This image enhances understanding of the market dynamics discussed in the report.

By Tim Jesser, Director of Global Product Marketing, Snow Software

After years of speculation and two years of stark warnings, it’s finally here. Enforcement of the EU’s General Data Privacy Regulation (GDPR) is in effect, but according to a report from the Ponemon Institute released last month, nearly half (48%) of organisations didn’t expect to hit the May 25^th deadline, or didn’t know when they would.

Some organisations area couple of years into their GDPR journey, while others have left things a little late, only recently realising the monumental effort required to achieve compliance.If you are in the latter group, which if the statistics are to be believed is quite a number of organisations, you don’t need to panic just yet.

That doesn’t mean you should be taking it easy. The longer you delay, you increase the risk of spending an inordinate amount of time scrambling to respond to regulators, taking precious focus away from achieving business goals. The hardest part of any journey is starting, so if you’re still formulating your GDPR plans, here are a few steps that will simplify the process.

Appoint a data protection officer

Under GDPR, a Data Protection Officer (DPO) is required for all public authorities organizations that regularly process personal data, or organisations that process sensitive personal data. Banking and finance fits squarely within the latter two categorisations, which means nearly all organisations in this industry will need to hire a DPO. With estimates of needed DPOs estimated at 75,000, competition will be significant and it is recommended to start the search now if you haven’t already.

Focus on the articles that matters most

With 99 articles, GDPR isn’t a quick read. Fortunately, not every article is created equal and focusing on the most important information up front will stand you in good stead. These are:

Article 30: Records of processing activities (RoPA). The RoPA centres on identifying where personal data is being processed, who is processing it and how it is being processed.
Article 32: Security of Processing. Within Article 32 is the “technical and organisational measures” language which states that organisations must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Remember that ‘appropriate’ means just that. Don’t let GDPR alarmists tell you that ‘appropriate’ means you absolutely must buy their state of the art security software. The truth is we don’t know yet how regulators will enforce and interpret this article and others. Do your best, document your efforts, and that will go a long way towards satisfying regulators.
Article 35: Data Protection Impact Assessment (DPIA). A DPIA is the documentation of especially sensitive data processing and the protection measures that have been established for this processing.

Get enterprise wide visibility

Most organisations beginning their journey to GDPR compliance, understand the importance of identifying the location of prominent personal data repositories such as ERP systems, along withCRM tools such as Marketo and Salesforce. But these commonly used systems often represent just a fraction of the resources that process personal data.

Like an iceberg, the vast majority of such applications are considerably less visible to the business and not necessarily front of mind for the GDPR team. Of significance here is the growing number ofSaaS applications purchased by business units with little to no involvement by IT. If you can’t find a way to gain total visibility of your software and IT assets, you really don’t have much hope of being GDPR compliant. Establishing GDPR compliance requires complete visibility of all personal data repositories across the enterprise.

Shine a light on blind spots

Blind spots are the‘unknown unknowns’; a phrase made famous by former US Secretary of Defense, Donald Rumsfeld. You don’t even know you have them. Blind spots can be particularly problematic when it comes to personal data repositories. It is important to utilise automated discovery tools to uncover all personal data repositories across the enterprise.

You need to be particularly aware of the data held on mobiles. Not only do these devices maintain personal data, they also process information on the user. In addition, they are especially susceptible to be being lost, potentially running afoul of GDPR directives on maintaining control of personal data.

Buildyourpeople, processandtechnologyas one

There is no silver bullet to GDPR compliance. No single application tobuy or consultant to hirethat will take away all GDPR pain. Instead, compliance takes a combination of people, processes and technology.

People: Set up a cross-functional data governance team, made up of the DPO, IT leaders and business leaders from a range of functions including Compliance, Legal, HR, Customer Service, and Marketing. Befitting the criticality of GDPR compliance, this team should report to the Board of Directors.

Processes: Once the data governance team has defined what personal data means, they need to share this understanding across the organisation. In addition, privacy rules must be documented and shared across all lines of the business.

Technology: There are a number of solutions that can accelerate and maintain GDPR compliance including:

Case management systems for handling data subject requests
Data discovery systems for finding applications, structured data, and unstructured data
Identity and Access Management to track role management and who has access to which data
Software Asset Management can help create the system, users and device visibility required to ensure claims of “compliance” are based on a complete understanding of the enterprise

There is still time to become GDPR compliant before it has an ill effect on your organisation. But in an industry where sensitive customer information is prevalent, you may not get as much wiggle-room as those operating in other sectors. Take note of the above, start the process of getting yourself organised sooner rather than later, and you’ll find that you’re a long way towards being compliant before you know it.

By Tim Jesser, Director of Global Product Marketing, Snow Software

After years of speculation and two years of stark warnings, it’s finally here. Enforcement of the EU’s General Data Privacy Regulation (GDPR) is in effect, but according to a report from the Ponemon Institute released last month, nearly half (48%) of organisations didn’t expect to hit the May 25^th deadline, or didn’t know when they would.

Some organisations area couple of years into their GDPR journey, while others have left things a little late, only recently realising the monumental effort required to achieve compliance.If you are in the latter group, which if the statistics are to be believed is quite a number of organisations, you don’t need to panic just yet.

That doesn’t mean you should be taking it easy. The longer you delay, you increase the risk of spending an inordinate amount of time scrambling to respond to regulators, taking precious focus away from achieving business goals. The hardest part of any journey is starting, so if you’re still formulating your GDPR plans, here are a few steps that will simplify the process.

Appoint a data protection officer

Under GDPR, a Data Protection Officer (DPO) is required for all public authorities organizations that regularly process personal data, or organisations that process sensitive personal data. Banking and finance fits squarely within the latter two categorisations, which means nearly all organisations in this industry will need to hire a DPO. With estimates of needed DPOs estimated at 75,000, competition will be significant and it is recommended to start the search now if you haven’t already.

Focus on the articles that matters most

With 99 articles, GDPR isn’t a quick read. Fortunately, not every article is created equal and focusing on the most important information up front will stand you in good stead. These are:

Article 30: Records of processing activities (RoPA). The RoPA centres on identifying where personal data is being processed, who is processing it and how it is being processed.
Article 32: Security of Processing. Within Article 32 is the “technical and organisational measures” language which states that organisations must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Remember that ‘appropriate’ means just that. Don’t let GDPR alarmists tell you that ‘appropriate’ means you absolutely must buy their state of the art security software. The truth is we don’t know yet how regulators will enforce and interpret this article and others. Do your best, document your efforts, and that will go a long way towards satisfying regulators.
Article 35: Data Protection Impact Assessment (DPIA). A DPIA is the documentation of especially sensitive data processing and the protection measures that have been established for this processing.

Get enterprise wide visibility

Most organisations beginning their journey to GDPR compliance, understand the importance of identifying the location of prominent personal data repositories such as ERP systems, along withCRM tools such as Marketo and Salesforce. But these commonly used systems often represent just a fraction of the resources that process personal data.

Like an iceberg, the vast majority of such applications are considerably less visible to the business and not necessarily front of mind for the GDPR team. Of significance here is the growing number ofSaaS applications purchased by business units with little to no involvement by IT. If you can’t find a way to gain total visibility of your software and IT assets, you really don’t have much hope of being GDPR compliant. Establishing GDPR compliance requires complete visibility of all personal data repositories across the enterprise.

Shine a light on blind spots

Blind spots are the‘unknown unknowns’; a phrase made famous by former US Secretary of Defense, Donald Rumsfeld. You don’t even know you have them. Blind spots can be particularly problematic when it comes to personal data repositories. It is important to utilise automated discovery tools to uncover all personal data repositories across the enterprise.

You need to be particularly aware of the data held on mobiles. Not only do these devices maintain personal data, they also process information on the user. In addition, they are especially susceptible to be being lost, potentially running afoul of GDPR directives on maintaining control of personal data.

Buildyourpeople, processandtechnologyas one

There is no silver bullet to GDPR compliance. No single application tobuy or consultant to hirethat will take away all GDPR pain. Instead, compliance takes a combination of people, processes and technology.

People: Set up a cross-functional data governance team, made up of the DPO, IT leaders and business leaders from a range of functions including Compliance, Legal, HR, Customer Service, and Marketing. Befitting the criticality of GDPR compliance, this team should report to the Board of Directors.

Processes: Once the data governance team has defined what personal data means, they need to share this understanding across the organisation. In addition, privacy rules must be documented and shared across all lines of the business.

Technology: There are a number of solutions that can accelerate and maintain GDPR compliance including:

Case management systems for handling data subject requests
Data discovery systems for finding applications, structured data, and unstructured data
Identity and Access Management to track role management and who has access to which data
Software Asset Management can help create the system, users and device visibility required to ensure claims of “compliance” are based on a complete understanding of the enterprise

There is still time to become GDPR compliant before it has an ill effect on your organisation. But in an industry where sensitive customer information is prevalent, you may not get as much wiggle-room as those operating in other sectors. Take note of the above, start the process of getting yourself organised sooner rather than later, and you’ll find that you’re a long way towards being compliant before you know it.