Organizations around the world have been watching anxiously as the General Data Protection Regulation (GDPR) approaches, bringing with it the potential for tremendous upheaval. Those who haven’t made a priority of preparing for this monumental shift in how private data is collected, stored and protected face a very real risk of damage as GDPR blows in on May 25, 2018. With the potential for fines for noncompliance to reach in the millions of euros, the financial hit could be enough to shut some entities down. There’s still time to prepare, but with just months to go, it’s important to act quickly. This paper sets out five basic steps organizations may want to consider to help set up a framework for managing GDPR risk.