Key Tips & Takeaways for GDPR
Implementation Using COBIT® 5
To ease the pain of gaining GDPR compliance, a series of implementation tips follows. Based on observations of,
and recommendations from, several entities that have already begun the path toward compliance, here is a list of key
success factors to consider on the compliance journey:
1 4
DEVELOP A SENSE OF URGENCY. It is no surprise
that this is at the top of the list. Gaining executive-
level support is key here, as that support drives
the attitudes and expectations required to
successfully adopt good governance practices
to apply and comply with GDPR.
Hint: Read COBIT 5: Implementation for more tips
and techniques on gaining executive-level support
and recognizing the need to act.
2
THINK OF GDPR AS AN OPPORTUNITY. Although
gaining and maintaining compliance seems
burdensome, it is clearly the right approach.
5
Remember that the reason the enterprise exists is
to create value for stakeholders, and well-applied
GDPR is an important value-adding contributor.
Hint: The COBIT 5 goals cascade identifies
stakeholder needs that are cascaded to enterprise
goals, to IT-related goals, and to enabler goals
to assist in determining the most appropriate
processes on which to focus to enhance
stakeholder value.
6
3
GET AN INVENTORY of the enterprise’s current
governance frameworks and practices, including
the data protection plan. Most enterprises already
have a plan in place, but they will need to review
and update it to ensure that it aligns with GDPR
requirements.
Hint: GDPR is a regulatory concern that can be
satisfied by adopting existing best practices
such as COBIT, ITIL, The Open Group Architecture
Forum’s (TOGAF) framework, the US National
Institute of Standards and Technology (NIST)
publications, the International Organization for
Standardization (ISO) standards, and many others.
CONSIDER COBIT 5 AS A FRAMEWORK TO MANAGE
FRAMEWORKS, but do not stop with just one
framework. This is an extension of the previous
tip. Although it is the only business framework
for GEIT, COBIT is not the only game in town.
However, it is well suited to serve as a central
framework to help determine the components
needed from other frameworks to provide a true
GEIT model.
Hint: The COBIT Online website has
additional information about this approach
at https://cobitonline.isaca.org/about.
APPOINT A DPO AND OTHER APPLICABLE ROLES
NOW. Even in enterprises that are not affected by
the GDPR, these are still good roles to identify
and appoint. These roles may already be fulfilled
now, just under different names.
Hint: COBIT 5: Enabling Processes identifies RACI
charts for all 37 processes.
CONDUCT AN ENTERPRISE RISK ASSESSMENT
TO ASSIST IN DECISION MAKING. It is important
to know what data the enterprise stores and
processes on EU citizens, as well as any
associated risk. Risk assessments can help identify
the risk, determine measures to mitigate the risk
and develop action plans to manage the risk.
Hint: COBIT 5 for Risk and ISO 31000 are great
places to start when determining an appropriate
risk assessment process and linking it to the
GDPR requirements.
ISACA.org/GDPRusingCOBIT5
 7 9
LAUNCH A WIDESPREAD AWARENESS
AND TRAINING PROGRAM. Everyone in
the organization must be familiar with the
requirements of GDPR as well as his or her
specific role. Training is most likely one of
the most important actions an enterprise
can take to increase the probability of a
successful program.
Hint: In enterprises that are leveraging COBIT
to assist in their compliance efforts, the COBIT 5
FOCUS ON THE INFORMATION. Remember that
information is an asset, a resource and, if it is
not protected, a liability. Understanding the
attributes, location and life cycle of the data can
enhance the enterprise’s ability to provide the
protections required under the GDPR.
Hint: COBIT 5: Enabling Information can assist in
understanding these life cycles and attributes.

10
Foundation course is a good place to start.
PERFORM CONTINUOUS ASSESSMENT AND
ASSURANCE. Maintaining compliance requires
continuous monitoring and improvement. It is

8
PLAN AND REHEARSE INCIDENCE RESPONSE important for the enterprise not to let its efforts
PLANS. Most organizations already have some fade away as it moves to the next initiative or
form of incident response plan; however, the unpleasant surprises may occur. Keep the
GDPR has some requirements that may not momentum going.
have been considered. Enterprises must report
breaches within 72 hours of their discovery. Hint: Use COBIT’s implementation model or ITIL’s
How well response teams react will directly affect Continual Service Improvement (CSI) approach,
the enterprise’s risk of fines for the breach. and ensure that the internal assurance/audit
function is engaged.
Hint: Improve existing incident response
procedures by looking at the applicable COBIT and
ITIL processes and then creating a specific model
for the GDPR requirement.

DISCLAIMER
This is an educational resource and is not inclusive of all information that
may be needed to assure a successful outcome. Readers should apply
their own professional judgment to their specific circumstances.

© 2017 ISACA. All Rights Reserved.