General Data Protection
IBM APPROACH DESCRIPTION
IBM Security Services
19 September 2016
2 IBM Security
• GDPR will replace national data protection laws of all
28 EU member states in May 2018
• GDPR also has international reach – applying to any
organization that processes data of EU data subjects.
• Fines for non-compliance will increase substantially up
to a maximum fine of € 20 million or 4% of global
annual sales, whichever is higher
• GDPR will fundamentally change the way companies
must manage personal data
GDPR = General Data Protection Regulation
IBM is getting ready: as large data processor IBM understands its responsibilities and
has set up an Advanced Data Protection Program that will also help its customers
addressing the GDPR!
3 IBM Security
• Data protection regulators.
• One-Stop shop: Companies active in multiple EU countries can choose a first point of contact,
e.g, a central supervisory authority for all their business in the EU. This lead supervisory
authority then supervises all processing activities throughout the EU.
• The EU will create a European Data Protection Board (EDPB) to arbitrate during disputes
arising from supervisory authority decisions.
Data Protection Officer (DPO):
• Advises & monitors GDPR/privacy law/policy compliance, conducts awareness trainings,
advises wrt privacy impact assessments (PIA) / audits, contact for supervisory authorities.
• A DPO can be a member of staff or a hired contractor. Group companies can share a DPO.
• DPO's contact details must be published.
• Public authorities (with some minor exceptions).
• Any organisation that processes personal data on a "large scale" or that monitor personal
• Companies in e.g., Germany (national law).
• Person (legal entity or individual) that processes personal data on behalf of the controller
• Example: typically IBM in the context of providing services to a client (e.g., client payroll)
• Person (legal entity or individual) that determines the purpose and the means of the
processing of personal data
• The controller has responsibility to determine and implement appropriate technical and
organizational measures to protect the personal data against accidental or unlawful destruction
or accidental loss, alteration, unauthorized disclosure or access
• Example: If IBM runs the payroll service for a client, the client has to fulfill the role of controller
to ensure that the payroll service is getting only the information necessary for processing
• operations performed on personal data
• EU Directive gives examples: collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, blocking, erasure or destruction
Sensitive Personal Data: Subcategory of Personal Data
• Gets extra protection under the law information about racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership, health, sex life (again not closed
list; can be extended based on the national legislation)
• information that can identify a person (individual), not a legal person (e.g., a company).
There’s no closed list on what personal data is.
• Examples are: name, email address, telephone number, address, license plate, an IP
address, a photo, a combination of info that could lead to identifying a person.
• In other parts of the world (e.g,. In the US and thus also IBM internally) the term “Personal
Identifiable Information” (PII) is often used. Rather similar term (ignoring legal subtleties)
The most important terms you need to know when talking about Data Privacy.
• Personal Data
View slide in presentation mode!
4 IBM Security
Ready for GDPR? Questions to Ask Yourself
• Where do you process personal data? Where do you store personal data? Do
you move personal data outside the EU?
• Do you deploy privacy by design techniques? Have you set up organizational and
technical measures to prevent uncontrolled collection, unauthorized access and
retrieval of personal data?
• Do you have a data classification program to produce a copy on record of
• Do you have a response process to address requests by individuals? Are you
able to provide evidence that you deleted personal data as requested?
• Do you have a data governance program in place? Have you set up
organizational measures (access limitation, processes, governance, collection
• Do you actively monitor external news on data breaches? Do you have a
remediation process to address data breaches? Do you have an established
Do you collect
Do you move
Have you set up organizational
and technical measures to
access and retrieval of
Do you have a
Do you collect
Do you have a
Do you have a
Are you able
to produce a
Do you have a
for privacy in
Where do you
Do you have a remediation
process to address data
breaches? Do you have an
Do you deploy
5 IBM Security
Program Execution and
IBM covers the full program with
• Legally-trained consultants for the readiness phase
• Data protection experts for consulting services for
• Industry-leading security tools
• Implementation specialists
6 IBM Security
IBM helps addressing Protection of Personal Data in all Phases.
Data Masking &
DETECT & RESPOND
data breach handling
7 IBM Security
Roadmap GDPR Program (Example 1)
Manufacturer w existing SIEM / SOC (8x5) capabilities.
IT environment managed by third party.
Delivery team: Data Privacy Experts and SOC/SIEM consultants.
2016 2017 2018
Phase Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Project Mobilization & Identification of Personal Data
Set up Data Protection Governance
Work Stream 1
Work Stream 2
Work Stream 3
Embedding Privacy by Design
Establishing Data Breach Protection & Monitoring
Work Stream 4
Continuous Data Protection
Applied PbD Compliance Model
New Trends &