To date, GDPR compliance at most organizations has been approached from the top down. Policies and procedures are essential. However, now that most organizations have those in place, it is time to begin revisiting GDPR programs from the bottom up — starting with the systems where data lives, to ensure cohesive alignment between the existing privacy policies, business requirements, and the IT systems and infrastructure.