GDPR will become embedded into the culture of organisations because of the far-reaching impact that compliance will have. To cover all the bases, there will really be no choice but to establish or revamp efforts across three separate areas:
Processes: Numerous new processes will be required, covering a wide range of areas. Examples include processes for collecting personal data, identifying sensitive data within databases, risk management assessments, monitoring data access, handling requests from individuals (data access, right to be forgotten, etc.), communicating with and responding to security incidents.
People: It goes without saying that people are at the centre of implementing processes. Furthermore, extensive employee education will be required to comply with GDPR.
Technology: While the GDPR is much too broad to lend itself to compliance by just deploying some hardware and software, there are many technological solutions that will be critical to enabling the various processes, protection and people aspects described above.
There are thousands of details involved in addressing GDPR requirements, but the journey towards compliance will benefit the organisation in numerous, very valuable ways that reach far beyond satisfying the regulation itself.