© 2017 IBM Corporation

EU General Data Protection Regulation

Steve Norledge, UKI GDPR Leader

Sol Barron, Information Governance Specialist

February 2017

Getting Started with GDPR

© 2017 IBM Corporation2

GDPR significantly extends EU member-state data privacy regulation

• Inform / access / rectify / erase / object

• Give or withdraw specific data usage consent

• Insight in automatic decision making

• Transfer personal data to another provider (portability)

• Data controller and data

processors liable for breaches

• Data controllers legally bound

to validate data processor´s

compliance

• Data Protection Officer

obligatory

• Stringent data security &

breach management

• Conditions for cross-border

data transfer altered

• All direct and indirect

identifiers

• Behavioural-, derived- and

self-identified data

• Unstructured data

• Format and technology

agnostic

• Fines up to 4% of annual

turnover or €20 million

• Data Privacy Authorities

empowered

• Increased activist and court

activity

• Increased risk and cost of

reputational damage

EU Citizen Rights

enhanced, harmonised

and extended globally

Organisational

Impact

Broadened scope

‘Personal Data’

Increased cost

of non-compliance

© 2017 IBM Corporation3

Subject

Access

Request

Breach

Notification

I want you to correct my data and

then I want to take my data to a new

provider

I want to develop a new

process using personal data.

Am I allowed to gather,

augment and analyse all this

personal data?

Tell me if my personal data

has been breached. Was it

encrypted?

What information do

you hold on me and

what do you use it for?

“ Make it easy for me to manage

how I consent to share different

types of personal data with you

“

“

“

“

Data

Transfer

Erasure

Access

Management

Consent

Management

Privacy

Impact

Assessment

Rectification

& Data

Portability

Do I have the right data

access privileges to allow

access to the data I need to

run my new process?

“I want to transfer or process

this data in a different country“

I want to be forgotten by you“

Focused on the citizen...

© 2017 IBM Corporation4

GDPR governance, covering amongst others legal assessment,

third party management and risk and compliance; DPO role

Governance

People and Communications, covering employee awareness and

training, and internal and external communication

Communications & People

Data, covering personal data life cycle management and citizen

interaction

Data

Processes, covering the GDPR readiness of HR, CRM and other

business processes

Process

Security, covering cyber security technologies to protect critical

personal data and capabilities that enable timely breach notification

Security

...IBM’s five layer model for GDPR

© 2017 IBM Corporation5

IBM supports your GDPR timeline until 2018 and beyond…

GDPR Timeline

2H 2016 2017 1H 2018

Legal review

Identify gaps

Impact analysis

Many firms are currently

working through the legal

interpretation. IBM can support

the gap- and impact analysis.

IBM can speed up your deployment programme at a reduced

cost by bringing GDPR solutions, tools and accelerators

across the full spectrum of your needs.

IBM can provide the capabilities to

help you deliver and demonstrate

your GDPR capability.

Governance

People & Communications

Process

Data

Security

Test & Assure

Demonstrate compliance(ongoing)

Deploy to production

Now

Diagnose Define, Design and build Deliver and Demonstrate

May 2018

© 2017 IBM Corporation6

So What Do You Do?

PREPARE

© 2017 IBM Corporation7

What Does GDPR Ask of You?

The GDPR is all about acting responsibly with personal information, in its

widest sense

Therefore, in broad terms compliance with GDPR will require you to

Understand Your Data, in order to

Protect Your Data and

Govern Your Data

Wherever it is (databases, file shares, email systems, storage boxes)

In whatever format it is (structured, unstructured, audio, etc.)

© 2017 IBM Corporation8

IBM Case Manager

IBM Solution Framework

Dynamic Policy

Management:

Define what, why,

how long

Data

Infrastructure:

Control use,

align cost to

value

Implementation

Services:

Distribute policies

to data sources

Data Management

Email Servers

User Devices & File

SharesECM & Collaboration

ArchivePlatform

Master Data

Cloud & Social

Databases &Data Warehouse

HadoopPlatform

Lawfulness and Consent

Design

and Default

Rights of EU

Data Subjects

Lawfulness

and Consent

Accountability

of Compliance

Security of Personal Data

P o l i c i e s R u l e s A u d i t

P r o c e s s e s A n a l y s e s

Security

& C

om

plia

nce M

onito

ring

InfoSphereIBM Atlas

Optim

© 2017 IBM Corporation9

StoredIQ – Understanding Your Unstructured Data

• Fast discovery of unstructured data across the enterprise scaling to ‘00s Terabytes and Petabytes

o Where the data is

o What the data is

o How big the data is

o What the data is called

o Who created the data

o Deep knowledge of the data, many layers of attributes

© 2017 IBM Corporation10

StoredIQ – Deeper Analysis

• Open each text file

• Index its content:

• Words, Phrases, Names

• Patterns

• National Insurance numbers, credit cards, IDs, etc.

• Auto-Classification

• Classifies content based on user-definable taxonomy

• No coding required, uses Natural Language Processing

• Provides additional overlay/filter analysis capability

© 2017 IBM Corporation11

Atlas Policy Suite provides broad support for regulatory and legal

compliance

The IBM Atlas Policy Management Suite is a pivotal component of the IBM Information Lifecycle

Governance (ILG) solution portfolio

Helps organizations improve information economics and reduce risk by enabling defensible disposal of

data debris.

Aligns information cost to value through value-based archiving and tiering

Reduces information risk by instrumenting privacy, electronic discovery (eDiscovery), and regulatory

policy across the data environment

Primary features include:

Incorporates a citation database of relevant legislation, regulation and policy

Maintains an organizational, multi-jurisdictional retention file plan for all information types with

cross-reference back to the corresponding citation

Provides a catalogue of data sources (processes, data repositories, applications, etc.)

Maps all information types to the data sources which utilize them as well as the business units

and individuals who own the information

© 2017 IBM Corporation12

Let’s take a look…