We have always received this question from our clients. What GDPR regulators will do and what they will be looking for? Well, we know this may be a totally complex discussion, but we would like to give a short overview and few hints about their role as GDPR regulator.
The regulators will be always looking for due care, they are looking for you, as a company, to be aware of GDPR and to understand what you need to do and how. They need to ensure that you performed at least a gap assessment, you know where you are and where you need to be for full compliance. They will either come and check these proactively or reactively.
The regulators need also to see that you know what personal data you have, where do you store it and with what other partners/providers these data interact with.
And then it is also about the security and privacy controls you may or want to implement. It can be anonymisation, masking, encryption, other protection area, monitoring, incident response etc depending on the risk maturity level you have accepted as an organisation.
So take a close look at Incident Response also, because how you treat data breaches will also help you get closer to GDPR compliance.