GDPR: the IBM journey to compliance

Dataworks Berlin
GDPR : The IBM Journey to Compliance
—
Richard Hogg, Global GDPR Evangelist
Dataworks Berlin / April 19, 2018 / © 2018 IBM Corporation

Richard Hogg
Global GDPR Evangelist
IBM
@banjaxx
G-
36
DaysDataworks Berlin / April 19, 2018 / © 2018 IBM Corporation

GDPR Legal
Disclaimer
Clients are responsible for ensuring their own compliance with
various laws and regulations, including the European Union
General Data Protection Regulation. Clients are solely
responsible for obtaining advice of competent legal counsel as
to the identification and interpretation of any relevant laws and
regulations that may affect the clients’ business and any
actions the clients may need to take to comply with such laws
and regulations. The products, services, and other capabilities
described herein are not suitable for all client situations and
may have restricted availability. IBM does not provide legal,
accounting or auditing advice or represent or warrant that its
services or products will ensure that clients are in compliance
with any law or regulation.
Learn more about IBM's own GDPR readiness journey and our
GDPR capabilities and offerings to support your compliance
journey here.

Simply…
GDPR
Compliance Data
Protection
Personal
Data

The EU General Data Protection Regulation
GDPR
From
May 25th,
2018
Across 28 EU countries
4%
of Global Revenue or
€20M
Potential Penalty
Per-Incident
Applies
Globally
to any Organization working with
Personal Data of a Data Subject
residing in the EU
Or Profiling From the EU
5 Key General Data Protection Regulation Obligations
Rights of EU
Data Subjects
Security of
Personal Data
Compliance
& Legal Basis
Accountability of
Compliance
Data Protection by
Design and by Default

Exemplar Types
of Personal Data
Personal Data:
an identifier such as a name, an identification number,
location data, online identifier or to one or more factors
specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that person.
Sensitive Personal Data:
data consisting of racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union
membership, genetic data, biometric data, data
concerning health or data concerning a natural person's
sex life or sexual orientation. The commission or alleged
commission by them of any offence; or any proceedings
for any offence committed or alleged to have been
committed by them, the disposal of such proceedings or
the sentence of any court in such proceedings.

5 Phases to Readiness
GDPR Framework
– Conduct GDPR risk &
privacy assessments
across governance,
people, processes, data,
security
– Develop GDPR
Readiness Roadmap
– Identify & Map personal
data
– Design governance,
training, communication,
and process standards
– Design privacy, data
management and
security management
standards
– Develop and embed
procedures, processes
and tools
– Deliver GDPR training
– Develop & embed
standards & policies
using Privacy by Design,
Security by Design
– Detailed Data Discovery
– Execute all relevant
business processes
– Monitor security and
privacy using TOMs
– Manage Consent & data
subject access rights
Identify GDPR impact and
plan Technical and
Organizational Measures
(TOM’s)
Includes Data Protection
controls, processes and
solutions to be implemented
TOMs in place: Personal
Data discovery, classification
and governance in place
Begin the new GDPR ready
way of working
– Monitor, assess, audit,
report and evaluate
adherence to GDPR
standards
Assess Design Transform ConformOperate
Monitor TOMs execution;
deliver compliance evidence
to internal and external
stakeholders
Assessments and
roadmap
Defined
implementation plan
Process enhancements
completed
Operational
framework in place
Ongoing
monitoring and
reporting
ActivityOutcomePhase

What Is IBM Doing for
GDPR Readiness?
Our Market Commitment
IBM has established a global project to prepare for GDPR, both for our internal
processes and for our commercial offerings. IBM recognises that our customers will
rely on IBM's offerings and technical assistance to achieve GDPR compliance within
their own organisations and IBM is well-positioned to meet this critical need.
Our GDPR Readiness Programme
GDPR Programme Management Office
IBM as a Data
Controller
Mission:
Address IBM’s
obligations for
managing
internal data.
IBM as a Data
Processor
Mission:
Ensure
compliance and
governance for
all IBM
offerings and
services that
process
personal data.
IBM GDPR
Common
Services
Mission:
Deploy
enterprise tools
and common
services to
facilitate
GDPR-related
policy, system
and business
process
changes.
IBM Vendor
Management
Mission:
Align our supply
chain to the
upstream
obligations we
make to our
clients and to
our internal
responsibilities.
IBM Client &
Contract
Management
Mission:
Help make the
client buying
process GDPR
ready.
GDPR Go-To-
Market
Mission:
Create a unified
solution to help
our clients with
their GDPR
readiness
programmes.
IBM has established a global readiness programme
tasked with identifying the key impacts of the GDPR
across IBM’s business and preparing IBM’s internal
processes and commercial offerings for compliance
with the GDPR.
The programme is organised into several work
streams, staffed with IBM’s top data privacy and
security professionals. Focal points in each Business
Unit are responsible for implementing the GDPR-
related policy, system and business process changes
mandated by the various key work streams.
www.ibm.com/gdpr
+ new Audit
Workstream

Northern Trust Accelerated
GDPR Readiness
—
“The journey we took to know, trust, use our data is now
accelerating our readiness to GDPR.
• Data cataloging efforts to map sensitive data elements
across key applications improved company operations and
accelerated our path to be GDPR ready
• GDPR is now helping us to advance our metadata for other purposes
such as data protection
• With good quality data with embedded governance controls,
my group is providing better service to my constituents so
Northern Trust can better serve its customers.”
Sanjay Saxena
Senior Vice President of Enterprise Data Governance at Northern Trust

Use your data
Build a single source of truth to drive a 360-degree
view of your data. Unleash insights and deepen
customer relationships.
Trust your data
Capture lineage, help ensure quality of dynamic
data and stay on top of regulations.
Know your data
Discover, find, integrate, classify and catalog all
types of data.

Driving Consumer Engagement,
Innovation and Competitive Advantage
GDPR
66%of users feel more
empowered to share
data once it has
strong governance
enablement*
Respect and treat personal data properly
Build personalized experience
Help Compliance readiness
Build brand value & loyalty
Source: Lock, Michael. “Data Governance 2.0:
Uniting People and Information to Drive Real
Business Results, Aberdeen Group, 31 August
2017, https://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?htmlfid=IML14586USEN&

Driving Value Beyond GDPR
Compliance
The Value of Governance
Making data cleaner and more trustworthy
contributes to a technology environment that is
easier to interact with, protecting data, and guiding
users toward the data they need to support their
decisions.
Find-Share-Collaborate
− Break down data silos
− Make structured and unstructured data available
through a self-service model
− Turn complex business data into business value
− Be proacitve in the face of changing regulatory
environment
Data Governance 2.0
“Uniting people and information to drive real
business Results”
(Aberdeen group Study – August 2017)

Opportunities the GDPR
Presents to All
Reinforcing
accountability with
your customers
Digital
engagement and
personalisation
Improved data
management and
understanding
1 2 3

Build once. Address many needs. Accelerate innovation.
ArchivingRecords and
retention
Audit readinessSelf-service access to
data and analytics
Discovery360-degree
information driven
insights
Regulations
(such as GDPR)
Privacy and protection
EDW optimization
Trusted Analytics Foundation

AI & ML GDPR Accelerators

Compare and Comply
Watson Compare & Comply allows attorneys to load
contracts and other data such as regulations from any
source and have Watson analyze and consider the key
language, clauses or paragraphs driving the need for
further analysis or change
Watson considers the contractual terms, regulations or
other terms and highlights paragraphs / sentences that
contain control requirements (implicit/explicit). Users
confirm the validity.
Visualize how effectively controls have been assessed
per regulation
GDPR Outcome
Creates a range of bespoke reporting to allow a clear
view of where remediation is required, with clear
traceability back to impacting new regulations, existing
regulations or contractual terms. A clear link back to
impacting regulation or de-regulation can be seen to
support prioritization and discussions with the regulator

Accelerate Taxonomy and
Personal Data Mapping via
Industry Model
Business Taxonomy for Industries mapping each GDPR
Terms to business terms & objects, by Article
− Consumable for Unified Governance Catalog
execution by using IGC
Helps pre-define common classes and types of Personal
data to find and manage under GDPR
− Helps define and accelerate determining which
personal data types your business uses
− Helps define the examples and methods of finding and
managing such personal data
GDPR Outcome
An immediate re-usable taxonomy and framework of
business terms, for what personal data is used in the
business, towards a complete Mapping and inventory to a
defensible ‘Article 30 Record of Processing of Personal
data’ across the business.
Marked up GDPR Regulation Supportive Content of all GDPR
nouns in IGC
Each relevant noun
in the text points to
equivalent IGC
Term
Industry agnostic representation of GDPR regulation

Governance Value
Beyond GDPR
Brand Value & Loyalty
Strengthen your brand by defining and publishing ethical
standards handling personal data both internal (employees)
as external (clients)—a quality necessity for the digital age!
Grow revenue, reduce churn and acquisition costs.
Become ‘data driven’—Personalized
Establish key projects like implementing Data Governance
or creating a 360 Client View to transform your organization
to be data driven as part of your GDPR implementation.
Better customer insight and targeted marketing.
Compliance Readiness and Business Productivity
Established best practices for stewardship and efficiency of
data projects and for confidence in handling future
regulation.
Show respect & trust for Personal Data
Derive guidelines for handling personal data and raise the
awareness as part of your organization’s values
Records of
processing
activity
Consent
Building Block Journey
Governance and
lifecycle
management
Assessment
Access by the
data subject
Discovery and
mapping

Discovery and Mapping (Art. 4-5)
IS EE (IA, IGC), StoredIQ w/Cartridges, Industry Models
w/GDPR content
Records of Processing Activities (Art. 30)
GDPR Template w/IS EE, StoredIQ, Cognos 11
Manage Consent (Art. 4-7)
MDM w/ Consent Mgmt & Profiles
Governance and Lifecycle Management (Art. 5)
IS EE (IGC), Optim TDM & DP / TD Fabrication / Archive,
Atlas, StoredIQ for Legal
Data Subject Access (Art. 15)
IGC, MDM, Atlas, StoredIQ, Optim, Case Manager
Analytics GDPR Building
Blocks
Records of
processing
activity
Consent
Building Block Journey
Governance and
lifecycle
management
Assessment
Access by the
data subject
Discovery and
mapping

Discovery and Mapping
Know your relevant data: Understand where
personal data resides
Define your inventory of Personal Data
Discover where Personal Data is stored
Reveal ‘shadow’ data stores
Process structured and unstructured data and
store results in a common catalog
Leverage GDPR specific content in Industry
Models and GDPR Cartridges for StoredIQ
(RegEx & ML)
1. Articles 4-5
Information Analyzer
for Structured Data
StoredIQ
for Unstructured Data
Industry Models for Business Vocabulary Conformance
Information Governance Catalog

Extensive Personal Data
Discovery with GDPR
Cartridges
Plug-in discovery accelerators to find a more extensive set of
EU citizen personal data
− Maximising the use of RegEx strings
− Leveraging Machine Learning Annotators to auto-discover
personal data entities such as Names, Addresses,
Countries that can’t be defined or found by RegEx
− Tailorable & extensible by clients
Proven enterprise-scale capability to assess in-place the
common sources and types of unstructured information
− Heatmap view to prioritise Where Personal information has
been found
− Actionable outcomes and exports of specific data types
and files for remediation & mapping
GDPR Outcome
Rapidly discover the most common Personal data in all the
usual places, avoiding internal time and resources trying to
define and manage these rules; Ensuring IT can help other
stakeholders reduce Risk and Cost of Discovery.

What Is Data
Mapping?
GDPR ARTICLE 30
Records of Processing
Activities
Article 30 of Regulation (EU) 2016/679
controller
processor
written
sme
regulator
who
why
what
where
when
way
who
why
where
way

Records of Processing
Activities
It enables companies to address the
requirements of the GDPR defined in Art.
30 through appropriate tooling and a set of
artefacts provided through our GDPR
Template.
Art. 30 GDPR:
Records of processing activities
Each controller and, where applicable, the
controller’s representative, shall maintain a
record of processing activities under its
responsibility.
2. Article 30

Data Subject Access
Requests
Enterprise scale consistent auditable
processing for all DSAR requests, levering a
single catalog, policy and processing criteria for
each data subject
Streamline the DSAR decision and template
repeatable but personalized responses within
30 days back to the data subject
Provide auditable tracking, management and
execution of all types of DSAR’s for Art. 15
3. Article 15

Governance and Lifecycle
Management
Mask personal identifiable information with
realistic but fictional data, de-identify
sensitive information; mask complete
business objects across heterogeneous
databases & applications; when needed,
generate synthetic test data
Govern the lifecycle of data with archival,
records management, and defensible
disposal
Drive to Data Minimisation under GDPR
4. Article 5
JASON MICHAELS ROBERT SMITH
DBA View
Referentially-intact
subsets of data across
related tables &
applications, including
metadata.
Business View
Overall historical
“snapshot” of business
activity, representing an
application data record
– e.g. payment, invoice,
customer

Manage Consent
A Consent Service providing a framework for
obtaining, maintaining and applying where
specific consent is required, for some GDPR
data processing, away from the current blanket
single consent commonly imposed
Supports any categories of Consent or Sharing
preferences for data subjects, flexible and
changeable by them at any time.
Each Consent is more granular, specific for
each Purpose and clearly conveys What data is
related to that consented purpose.
Where required, explicit transparent Purposeful
Consent of any personal data processing is
available for data subjects and processors to
know and understand how it can be and is used.
5. Articles 4-7

Consent Management

What’s New for GDPR?
RegulatoryML Lab Concept

What’s New for GDPR?
Blockchain Whitepaper
ibm.biz/blockchain-gdpr
Using real-world examples,
this paper explores how
blockchain could address five
areas associated with GDPR
compliance
Rights of EU Data Subjects, Security of Processing,
Lawfulness and Consent, Accountability of
Compliance, and Data Protection by Design and by
Default.
In this paper, for each of the areas, we provide a
point of view on how blockchain applies, we describe
project examples, and we explore challenges and
opportunities.

Thank you
Richard Hogg
Global GDPR Evangelist
—
rghogg@us.ibm.com
+1-703-963-2900
ibm.com
@banjaxx

GDPR: the IBM journey to compliance

More Related Content

What's hot (20)

Similar to GDPR: the IBM journey to compliance (20)

More from DataWorks Summit (20)

Recently uploaded (20)

GDPR: the IBM journey to compliance