The document discusses the General Data Protection Regulation (GDPR) which will replace data protection laws in the EU in May 2018. It will fundamentally change how companies manage personal data, imposing fines up to 20 million Euros for noncompliance. The document outlines key terms like personal data, sensitive personal data, data controllers and processors. It provides questions companies should ask themselves to assess readiness and an example roadmap for a company to implement a GDPR compliance program.

1. General Data Protection
Regulation (GDPR)
IBM APPROACH DESCRIPTION
IBM Security Services
19 September 2016

2. 2 IBM Security
• GDPR will replace national data protection laws of all
28 EU member states in May 2018
• GDPR also has international reach – applying to any
organization that processes data of EU data subjects.
• Fines for non-compliance will increase substantially up
to a maximum fine of € 20 million or 4% of global
annual sales, whichever is higher
• GDPR will fundamentally change the way companies
must manage personal data
10/31/201
GDPR = General Data Protection Regulation
IBM is getting ready: as large data processor IBM understands its responsibilities and
has set up an Advanced Data Protection Program that will also help its customers
addressing the GDPR!
2

3. 3 IBM Security
Supervisory Authority:
• Data protection regulators.
• One-Stop shop: Companies active in multiple EU countries can choose a first point of contact,
e.g, a central supervisory authority for all their business in the EU. This lead supervisory
authority then supervises all processing activities throughout the EU.
• The EU will create a European Data Protection Board (EDPB) to arbitrate during disputes
arising from supervisory authority decisions.
Data Protection Officer (DPO):
• Advises & monitors GDPR/privacy law/policy compliance, conducts awareness trainings,
advises wrt privacy impact assessments (PIA) / audits, contact for supervisory authorities.
• A DPO can be a member of staff or a hired contractor. Group companies can share a DPO.
• DPO's contact details must be published.
• Public authorities (with some minor exceptions).
• Any organisation that processes personal data on a "large scale" or that monitor personal
data.
• Companies in e.g., Germany (national law).
Processor:
• Person (legal entity or individual) that processes personal data on behalf of the controller
• Example: typically IBM in the context of providing services to a client (e.g., client payroll)
Controller:
• Person (legal entity or individual) that determines the purpose and the means of the
processing of personal data
• The controller has responsibility to determine and implement appropriate technical and
organizational measures to protect the personal data against accidental or unlawful destruction
or accidental loss, alteration, unauthorized disclosure or access
• Example: If IBM runs the payroll service for a client, the client has to fulfill the role of controller
to ensure that the payroll service is getting only the information necessary for processing
Processing:
• operations performed on personal data
• EU Directive gives examples: collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, blocking, erasure or destruction
Sensitive Personal Data: Subcategory of Personal Data
• Gets extra protection under the law information about racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership, health, sex life (again not closed
list; can be extended based on the national legislation)
Personal Data:
• information that can identify a person (individual), not a legal person (e.g., a company).
There’s no closed list on what personal data is.
• Examples are: name, email address, telephone number, address, license plate, an IP
address, a photo, a combination of info that could lead to identifying a person.
• In other parts of the world (e.g,. In the US and thus also IBM internally) the term “Personal
Identifiable Information” (PII) is often used. Rather similar term (ignoring legal subtleties)
Supervisory
Authority
Terms
The most important terms you need to know when talking about Data Privacy.
Personal Data
• Sensitive
Personal Data
Controller
Data
Protection
Officer
Processing Processor
Personal Data
• Sensitive
• Personal Data
Controller
Data
Protection
Officer
Processing Processor
Supervisory
Authority
View slide in presentation mode!

4. 4 IBM Security
Ready for GDPR? Questions to Ask Yourself
• Where do you process personal data? Where do you store personal data? Do
you move personal data outside the EU?
• Do you deploy privacy by design techniques? Have you set up organizational and
technical measures to prevent uncontrolled collection, unauthorized access and
retrieval of personal data?
• Do you have a data classification program to produce a copy on record of
personal data?
• Do you have a response process to address requests by individuals? Are you
able to provide evidence that you deleted personal data as requested?
• Do you have a data governance program in place? Have you set up
organizational measures (access limitation, processes, governance, collection
minimization)
• Do you actively monitor external news on data breaches? Do you have a
remediation process to address data breaches? Do you have an established
ERS?
Do you collect
personal
data?
Do you move
personal data
outside the
EU?
Have you set up organizational
and technical measures to
prevent uncontrolled
collection, unauthorized
access and retrieval of
personal data?
Do you have a
data
classification
program?
Do you collect
sensitive
personal
data?
Do you have a
data
governance
program in
place?
Do you have a
response
process to
address
requests by
individuals?
Are you able
to produce a
copy on
record of
personal data
on request?
Do you have a
designated
responsible
for privacy in
your
organization?
Where do you
store personal
data?
Do you have a remediation
process to address data
breaches? Do you have an
established ERS?
Do you
actively
monitor
external news
on data
breaches?
Do you deploy
privacy by
design
techniques?

5. 5 IBM Security
Legal
Getting
Ready
Program Setup
Program Execution and
Implementation
Why IBM?
Readiness
Assessments
(Legal)
Consulting
Services
Security
Software
Implementation
Guidance
IBM covers the full program with
• Legally-trained consultants for the readiness phase
• Data protection experts for consulting services for
business
• Industry-leading security tools
• Implementation specialists

6. 6 IBM Security
IBM helps addressing Protection of Personal Data in all Phases.
IDENTIFY
personal data
Security
Intelligence
Awareness
Gap Analysis
Identification of
Personal Data
PREVENT
privacy violations
Identity&Access
Management
Database
Security
Privacy by
Design
Data Masking &
Encryption
MANAGE
personal data
Third-Party
Management
Data
Governance
Privacy
Officer
Information
Requests
DETECT & RESPOND
data breach handling
PersonalDataProtectionProgram
Emergency
Response Services
Monitoring &
Detection Remediation
Resilient
Systems
Access Rights
Mapping

7. 7 IBM Security
Roadmap GDPR Program (Example 1)
Manufacturer w existing SIEM / SOC (8x5) capabilities.
IT environment managed by third party.
Delivery team: Data Privacy Experts and SOC/SIEM consultants.
2016 2017 2018
Phase Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Project Mobilization & Identification of Personal Data
Set up Data Protection Governance
IDENTIFYMANAGEPREVENT
Work Stream 1
Work Stream 2
Work Stream 3
Embedding Privacy by Design
Establishing Data Breach Protection & Monitoring
GDPR Enforcement
May 2018
DETECT&
RESPOND
Work Stream 4
Continuous Data Protection
capabilities delivery
Applied PbD Compliance Model
New Trends &
Technologies

8. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU