when relevant content is
added and updated.
Organisations are becoming aware that the General Data Protection Regulation (GDPR) may require a transformational shift in how to manage the personal information of EU data subjects – but they may not know the best approach to take.
The current challenge is less about falling foul of breaching the new data protection regulations which become enforceable in May 2018, and more about knowing what is required to avoid the potential financial and reputational damage of a breach.
A potential fine of up to $20m or 4% of global revenue (whichever is greater) for a GDPR breach is galvanising action, but many are struggling with aspects of the journey towards GDPR readiness, and we believe having a roadmap and the right partner can assist with safe arrival.
The GDPR journey
Richard Hogg, global GDPR & governance offerings evangelist at IBM Cloud, points out that companies are at different stages of the journey, but may be struggling with the full ramifications of the new rules and the next steps.
“GDPR is all around the personal data of data subjects, which includes any employees, and any external customers and clients you have. Data privacy regulations across the 28 EU states have raised the bar for obligations surrounding personal data. You must know what data you have, where it is stored, how it is processed, secured and protected,” says Hogg.
EU data subjects, have new rights. For example, a customer may no longer want a business relationship and has the “right to erasure”, which means the deletion of any personal data held on them. They can also submit a subject access request to discover their personal data held by an organisation, which must comply within a month without charging a fee. The right of portability means data can be easily switched to a new supplier; and GDPR prescribes strict data quality.
Organisations must have explicit consent from data subjects for their data processing purposes. Data transparency is fundamental and data security and privacy is vital.
If there is a breach of GDPR, a company must report this within 72 hours to the proper regulatory authority and possibly the data subject.
Role of the data processor
Many organisations will turn to a cloud service provider to help with these GDPR challenges, but using a third party – what the regulation calls a data processor – is not a way to abdicate responsibility for ensuring compliance, because that obligation stays with the company as the data controller. Nonetheless, using a cloud service provider can undoubtedly help ease readiness and reduce load and work.
“One of the biggest challenge facing organisations is that they don’t know what personal data they have in multiple systems, with no clear view of where it is from and where it goes to during processing,” says Hogg.
IBM Cloud can help with these challenges by conducting a privacy impact assessment (PIA) to provide a Record of Processing Activities, which is an obligation under Article 30 of GDPR.
“A PIA can help with determining data lineage, and categories of data and how it is processed and the requirement of consent. It surveys across the enterprise and identifies potential gaps against GDPR policies,” says Hogg.
Following analysis with a PIA, which can take just weeks, IBM Cloud can help you migrate your data to its platform to help simplify your GDPR readiness journey by categorising and protecting data.
High-level data mapping, which identifies data at risk of breaching GDPR, can be accelerated using IBM tools. They work from the bottom-up to search for pre-defined data types and catalogue what data is where.
“You can identify and delete obsolete data and determine whether you need explicit consent for data processing from a data subject,” says Hogg.
IBM Cloud can help organizations identify where their data resides – in the cloud or on premises – and help to discover and map for GDPR readiness.
“Organisations could choose to move more of their data to the cloud going forward. IBM Cloud can help with infrastructure deployment around security and privacy of data processing. They can benefit from its strong capabilities for data privacy, security and protection,” says Hogg.
If unauthorised access occurs, IBM Cloud offers “incident management as a service” to help clients discover the source of the problem.
“GDPR gives organisations only 72 hours in which to report a breach. Discovery commonly takes a company 150 days. IBM Cloud can help a client meet that deadline. It has monitoring ability in spades,” says Hogg.
For a GDPR readiness assessment visit www.ibm.com/gdpr or speak with a cloud seller about GDPR readiness.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability.