Technology giant IBM is one of the world's largest processors of information so ensuring compliance with the upcoming General Data Protection Regulation is essential. The company provides its clients with a range of data privacy, security and governance offerings and is introducing these same readiness programmes internally across its enterprise.
That programme is divided into a series of work streams that cover the different areas of IBM.
They include an evaluation of IBM's work as a data controller through services provided to internal businesses like The Weather Company, how IBM processes information for customers using its products, and also covering common services used both internally and by external clients.
"The programme is evolving as we progress our readiness," says Richard Hogg, IBM's global GDPR evangelist. "The latest work stream added is around audit. It will be checking and validating and confirming that we comply and maintain compliance for each of the other work streams and executed enterprise-wide."
The company is documenting the development of its procedures around GDPR on an ongoing basis. This will allow the company to clearly convey to regulators the steps taken internally to ensure compliance.
Understanding its data
GDPR requires companies to gain a detailed understanding of the type of data they have and where it is.
"Now, with GDPR, you have to have a laser focus and know exactly what is personal data and what is sensitive personal data, because you may have extra data protection or data privacy obligations on the information," Hogg explains.
IBM has developed a 'pathways framework' to identify and categorise that data. The company's chief data officer and chief privacy officer will take the lead on ensuring compliance, with key contact points appointed at every business unit. They will know the precise scope and the timeline of what needs to be done, according to their work stream and the gap analysis assessment.
"The first step is to do a privacy risk impact assessment and high-level mapping," says Hogg.
Each of IBM's major business units and services is assessed on where they are currently on the path to GDPR compliance. The company then develops a programme to fill any gaps in each work stream and establishes the technical and organisational measures it needs to put in place.
This process involves a detailed discovery task on priority data sources. The subsets of personal data are compiled in a central catalogue, ensuring the company maintains a record of its processing activities and can respond to relevant requests from regulators or data subjects.
High-risk data such as that obtained through IBM Watson Health is a particular area of focus for the assessments.
IBM operates in more than 170 counties and has to meets numerous overlapping regulations around the world. To ensure employees understand the requirements of compliance as well as their personal obligations, the company offers regular training and is rolling out a programme specifically for GDPR preparation.
"Data privacy and data ethics is a key fundamental part of IBM and is in all the annual ethics and training that all employees get a refresh on," says Hogg. "Adding GDPR is a focused but straightforward add on top of that."
Privacy by design
GDPR places a strong emphasis on privacy by design that is embedded across the organisation. These principles were already a cornerstone of governance at IBM, but the company refreshed its practices to adhere to the specific requirements of GDPR.
"We've been doing a privacy impact assessment on literally every one of our products and offerings and services, looking in detail exactly for this product, exactly what and how does it deal with personal data," says Hogg.
These assessments cover how any data is created, captured and stored, down to the processing of IP addresses, which are a form of personal identifier.
Read next: GDPR tips
For companies such as IBM that already have a high standard of data protection practices throughout the organisation, GDPR can be more of a chance to enhance their practices than a threat to business.
"There's an opportunity to tighten things up further and focus the process to make sure you're identifying and treating data in the right way through its life," explains Hogg.
IBM already had processes in place for the monitoring, handling, and reporting of security breaches, which the security exchange team has revised around the set of obligations specific to GDPR.
GDPR also enhances the requirements for consent from data subjects, which must be specific, granular and auditable, so IBM has examined each area of its business for when user consent is needed.
"Consent shouldn't really be a panacea that you think you need to do or apply everywhere," says Hogg. "It's one of the six types of lawful processing under GDPR. If you choose to do consent, you're taking on the most onerous and burdensome obligations.
"For many types of personal data on the processing we do today, it's really covered under legitimate processing as a normal course of business already, so you may not need consent for everything.
"But we're reviewing every service and offering with clients, and determining which will need consent and looking to have a common consent service enterprise-wide that will simplify and consolidate that burden, both for us and for data subjects."
GDPR gives data subjects a series of enhanced subject access rights, including the right to be informed, the right to rectification, the right to erasure and the right to data portability.
To ensure IBM can respond to these requests, the company has put in place capabilities to capture, validate and authenticate requests through enterprise-wide profiling and data management.
"Once we've authenticated you as the data subject requester, we can then quickly find where are the 15 places that we potentially have stuff about you, and then go in, do a deeper dive and search, collate, and review that information," explains Hogg.
Companies are not obligated to execute every request made by a data subject. To manage requests in line with other responsibilities and the company’s requirements under GDPR, IBM has also implemented a review of information governance policies and legal hold obligations.
Hogg's advice for other companies is simple: "You can't wait. From our point of view, the minimum readiness by May next year is to at least have completed your privacy impact assessment. I work with clients who are really just starting that today, but there's still time to complete that.
"Then, have an initial catalogue so that you know the personal data in your business, where it is, its lineage and what processing you do. That would form the basis that you could use if and when the regulator comes knocking from May next year, as part of your Article 30 response.
"The programme will evolve, so don't be locked into one particular design or set of policies. It will evolve and iterate, especially as you start to do table checks or dry runs, which is a key test that should be in any programme."