Making GDPR business-as-usual