How organizations can work toward GDPR compliance