Jason Burns from IBM shares the international tech company’s five-part framework for GDPR, which has evolved from valuable lessons learned in privacy and security.
At IBM, we’ve established a global readiness programme tasked with identifying the key impacts of the GDPR (General Data Protection Regulation) across IBM’s business, and preparing IBM’s internal processes and commercial offerings for compliance with the GDPR.
The programme is organised into several work streams, staffed with IBM’s data privacy and security professionals. Focal points in each business unit are responsible for implementing the GDPR-related policy, system and business process changes mandated by the various key work streams.
Our internal GDPR-readiness activities are aligned with a global framework derived from lessons learned on our many security and privacy client engagements.
‘This journey itself may not always be easy, but the path should be clearer with this framework’
The work that we’re doing internally to prepare for the GDPR reinforces the controls already in place that limit access to our clients’ personal data and will ensure that we continue to handle our clients’ most valuable assets in a compliant manner at all times.
This five-point framework takes a holistic approach that spans people, processes and technology. It translates GDPR obligations into the concrete actions and outcomes that are needed to progress towards GDPR readiness.
This close interlock helps to ensure that the best practices, solutions and services that IBM uses internally are the same as those we offer our clients.
Privacy and security
Remember, GDPR represents a unique opportunity to help strengthen your own privacy compliance posture and preserve the trust of your clients, while reducing your exposure to risk and creating real competitive advantage.
Where do you begin? The first thing we decided was that each of the framework’s five phases had to address both privacy and security issues because GDPR requires organisations to ensure both. And, yes, it can sometimes be hard to distinguish between the two.
So, we nailed down the definitions whereby ‘privacy’ is all about the policies and practices that dictate what data you collect and why you manage, share, process and move it around. ‘Security’ is all about how you control and protect that data.
A GDPR framework in 5 points
In building on our IBM GDPR framework, we looked at a basic framework and added further details such as a simplified capability architecture that includes information governance and a set of pathways to help get started across the organisation.
Let’s look at the basic five points of this framework:
- Assess your situation: Here, you figure out which of the data you collect and store is covered by GDPR regulations, and then you plot a course to discover it.
- Design your approach: You need to come up with a solid plan for data collection, use and storage. You also need to develop an architecture and strategy that will balance risks and business objectives.
- Transform your practices: At this stage, understand that the data you deem valuable to your organisation is equally valuable to the people it represents. This is where you need to develop a sustainable privacy compliance program, implement security and governance controls (TOMs: technical and organisational measures) and potentially appoint a data protection officer.
- Operate your program: Now you’re continually inspecting your data, monitoring personal data access, testing your security, using privacy and security by design principles, and purging unneeded data.
- Conform to the necessary GDPR requirements: Now you’re fulfilling data subject requests for access, correction, erasure and transfer. You’re also prepared for audits with documentation of your activities, and ready to inform regulators and data subjects in the event of a data breach.
So there you have it: a basic and direct approach to GDPR readiness. This journey itself may not always be easy, but the path should be clearer. Yes, there’s a lot going on in each of those five phases. And yes, you may need help along the way.
By Jason Burns
Jason Burns is an analytics client architect at IBM Ireland where he helps customers understand how to make the most of their data, unlocking hidden patterns through data discovery. He completed an MSc in data analytics at Dublin City University and is a member of the board of directors at the Analytics Institute of Ireland.