IBM Framework Helps Clients Prepare for the EU’s General Data Protection Regulation
General Data Protection Regulation (GDPR) goes into effect on May 25, impacting most every organization—no matter the location—that deals with European Union (EU) data subjects.
“Whether an organization has a physical presence in the EU doesn’t matter, even if you’re just marketing to, profiling or collecting information about EU individuals, citizens, residents or visitors. The reason it’s so sweeping—besides the global nature of it—is because it’s all about privacy and how personal data is handled,” says Cindy Compert, IBM Cybersecurity Leader, U.S. Public Sector Market, and CTO, Data Security and Privacy, IBM Security.
A Tipping Point
Although complying with GDPR sounds daunting, it doesn’t necessarily have to be, especially if organizations are aware of and already readying themselves for the GDPR start date. If not, now is the time to begin. (See “Possible GDPR Minimum Requirements.”)
The penalties for noncompliance can be steep. For example, a company that experiences a breach exposing EU personal data may potentially face stiff fines of up to 4 percent of their annual turnover or 20 million Euro, whichever’s greater. On top of this, other enforced penalties could include preventing processing or halting transfers of personal data. In addition, affected Individuals can take legal action on their own, only adding to potential fiscal and legal woes.
Should a breach occur in an organization, noncompliance has the potential to become debilitating in terms of fines, lawsuits and the lack of public confidence in an organization. Because large breaches may need to be publically reported as part of GDPR, they might prompt customers to do their business with other companies, which could further affect the bottom line.
But all is not lost. According to Compert, GDPR has some ancillary benefits. As she explains, “GDPR represents a tipping point for digital transformation. It’s not just checking the boxes to become compliant. By understanding what personal data you collect and manage, and building trust by being mindful of data protection practices such as privacy and security by design, you can leverage these activities to help you accelerate your journey toward a digital transformation. I believe that building digital trust is what’s going to separate companies that survive versus ones that don’t.”
Action Plan
Of course, every organization is at a different maturity level in terms of information governance and security, especially if its in a highly regulated industry such as banking, finance or healthcare. The organization likely has many controls, such as encryption, already in place and may just need to augment them. If an organization hasn’t done much work in the data-protection space, it may likely need additional guidance.
With that in mind, organizations should take a deep internal dive into the types of data they collect, process, store and share, and design policies and practices to protect this information. This insight could also help to prioritize implementation efforts.
Several options exist for GDPR readiness process guidance and tools, including assessments, to help organizations reach their GDPR goals. IBM has developed an IBM Security GDPR Framework to help clients achieve GDPR readiness from a privacy- and security-based approach. The GDPR Security Framework focuses on five phases of the GDPR preparation process (see Phases), including:
• Assessing your situation
• Designing your approach
• Transforming your practices
• Operating your program
• Conforming with the necessary requirements
All of these phases address specific steps to take to get ready, as explained below.
Phase 1: Assess
Phase 1 involves assessing your specific situation, determining which of the data you collect, process, store and transfer falls under GDPR, and then plotting a course to discover it. This type of assessment includes Privacy Impact Assessments, gap analysis, data mapping and compliance handbooks.
Phase 2: Design
Phase 2 is where you design your GDPR approach, including the creation of a solid plan for data collection, use and storage. You also need to develop an architecture and strategy that will balance risks and business objectives. This includes program governance, risk management, data-subject rights management and processor/controller governance solutions.
Phase 3: Transform
Phase 3 involves transforming your practices by understanding that the data you deem valuable to your organization is equally valuable to the people it represents. You also need to develop a sustainable compliance program; implement security, privacy and governance controls; and potentially appoint a data protection officer. You need to transform all business units to globally ensure consistent adoption of GDPR capabilities, including data and risk classification, detailed assessments and priority data remediation, and operationalizing GDPR capabilities.
Phase 4: Operate
Phase 4 is where you’re ready to operate your program. You will need to continually inspect your data, monitor personal data access, test your security, use privacy and security-by-design principles and purge unneeded data. GDPR should become a standard operating practice for interactions with clients and their data. It can help protect privacy and meet GDPR-related obligations, such as the ability for data subjects to manage their consent preferences and submit data-subject access requests.
Phase 5: Conform
Phase 5 is where you’re ready to conform with necessary GDPR requirements, such as fulfilling data subject requests for access, correction, erasure and transfer. You’re also now prepared for audits with documentation of your activities and ready to inform regulators and data subjects in the event of a data breach. This includes monitoring of technical and organizational measures, security and privacy assessments, auditing and evaluating ongoing conformance to GDPR, and providing evidence of compliance to both internal and external stakeholders.
Regulation-Ready
Just as important as the security GDPR framework, IBM also has an online GDPR Assessment tool (gdprguide.mybluemix.net) that helps organizations figure out where they stand in the GDPR-readiness process and then provide recommendations about how they can move forward with their programs.
IBM added GDPR-specific capabilities to some of its related tool sets, as in the case of the IBM Guardium GDPR Accelerator. Used for both IBM Z* and IBM Power Systems*, it includes a template that helps organizations identify GDPR personal data and automate that discovery and classification process. It then puts policies in place to monitor, report on and audit access to that information, with the procedure becoming an automated workflow.
Every organization that retains and uses EU data-subject information should be working on becoming GDPR-ready. Some compliance can be accomplished internally, but because of the complexity of GDPR, it would behoove an organization to take advantage of the resources available from solution providers. Going it alone isn’t worth the risk.
You have to think about the potential burden that comes with not being in compliance if a breach occurs—including massive fines, individual lawsuits and damage to the organization’s reputation, Compert notes.
“What this is really about is protecting information of not just ourselves, but also of our families and loved ones,” she says. “That’s really the big-picture story behind all of this.”
Jim Utsler, senior writer for IBM Systems Magazine, has been covering technology for more than 20 years.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation (GDPR). Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM doesn’t provide legal, accounting or auditing advice, or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey (ibm.co/2mfpvxD).