"It's like a flight data recorder," said Gary Southwell, general manager of the high performance products group at Lowell, Mass.-based CSPI Inc.
That helps companies figure out which records have been breached, and do it in time to meet the 72-hour deadline, he said.
Or take, for example, the challenge of removing private employee data on request. Employees may be keeping all kinds of sensitive information in their corporate file shares, like copies of their tax returns, telephone finance agreements, children's college applications.
That stuff has been collecting on corporate servers for years, said Linda Sharp, associate general counsel at San Jose-based ZL Technologies.
"We have technology that allows us to go through and identify all those pieces of information and help them remove it," she said.
One type of service that would be very helpful, but is currently hard to find, is comprehensive cyber insurance.
Open-Xchange, a collaboration software company based in Germany, ran into just this problem.
"We supply systems for telcos and other companies that are heavily regulated," said company CEO Rafael Laguna. "And inside those systems is this data protected by GDPR. If we don't do our job properly and the data gets exposed, our customers get fined, and they are saying, 'You screwed up, you have to pay this.'"
Before GDPR, cyberinsurance coverage might have cost in the range of $5 million, he said. "Now it's in the range of $50 to $100 million."
And it might not even be available.
It took Open-Xchange five months to find the insurance it needed to cover the risks associated with one recent customer, he said.
"It took five companies to handle the requirements, and it cost us a lot of money," he said.
But, eventually, as more companies look to buy cyberinsurance, the rates might come down, said Steve Conrad, managing director at Bothell, Wash.-based MediaPro Holdings, LLC.
"Anytime you have an insurance pool and you have more people paying into it, that distributes the cost," he said.
MediaPro provides online security training to employees, and some of its customers are in Europe.
The company has cyberinsurance in place, Conrad said.
"It's becoming more and more of a requirement to doing business," he said. "And, at the end of the day, if something bad happens, you want to be covered."
Data, data everywhere
To start getting ready for GDPR, companies must first take stock of what data they collect, and where they keep it.
That could be hard for large companies, with siloed controls and multiple systems, said Ken Krupa, CTO at San Carlos, Calif.-based database company MarkLogic Corp.
Then, companies need to be able to respond quickly to compliance-related requests from regulators.
Sign up for CIO Asia eNewsletters.