"I'll let you into a secret", says Dennis Holmes, a member of the data protection, legal and compliance team at PwC. He also has a surprising suggestion.
"One idea is to try a fake phishing programme and see who bites, that way you can get a feel for your vulnerability."
This piece of advice arose from Dennis's confession: "No one will be 100 per cent compatible with GDPR" he said.
He was speaking at the GDPR Summit. Given that no one will be 100 per cent compliant, what can you do? "So it's running risk management," opined Dennis, "you may not be 100 per cent compatible, but you do need to be able to show what you are doing."
PwC asks a series of questions and gives marks out of four. "90 per cent of people we have tested are not even close to compliance," he claimed.
It may boil down to trust. "GDPR is about trust between people who hold data and the subjects of the data."
Drilling down, he said that GDPR impacts both data controllers - who determine the means and purpose of personal data - and data processors - the person engaged by the data controller to process data.
And he continued, it is built around three pillars: a new transparency framework, a new compliance journey and a new punishment regime.
As an example of transparency, he warned that organisations need to be much clearer oh how they use data, adding that consent rules are being massively tightened. He also warned that regulatory inspectors will have enhanced rights.
Turning to the compliance journey, he referred to privacy by design, "entities have to get data handling right from the start" he stated. He also reminded delegates that the right to be forgotten means that "people will have greater power to demand delete."
The headlines relating to the punishment regime are well known - up to four per cent of a company's turnover, for example, but he warned about compensation rights for distress - an area that may prove headline grabbing.
Dennis also drew delegates attention to one somewhat troubling area. GDPR does not provide organisations into any insight into prioritisation.
For more on GDPR check out the GDPR Report and www.gdprsummit.london