Overview
With an enforcement date of May 25, 2018, the GDPR is designed to unify data privacy requirements across the European Union (EU). If you market to or process the information of EU Data Subjects – which include end users, customers and employees – you need to learn how to address these key requirements.
Where are you on your GDPR journey?
Starting at the beginning
The GDPR readiness assessment from IBM® can help you identify the areas of your business that will be affected by GDPR and evaluate your current practices against the requirements. Get started with the GDPR readiness assessment from IBM, which includes a gap analysis and a roadmap for moving forward.
Gaining traction
The IBM Security Guardium® Analyzer solution allows you to apply a next generation classification engine with pre-built GDPR oriented data patterns as well as vulnerability scans for your data in-order to provide your compliance or audit teams with prioritized risk information.
Operationalizing your program
The Resilient Incident Response Platform can help you fulfill GDPR obligations and help streamline your incident response and breach notification time. GDPR-specific components have been incorporated into the platform, including the GDPR preparatory guide, the GDPR simulator, and the GDPR-enhanced privacy module.
Phases
Privacy requirements
Assess your current data privacy stature under all of the GDPR provisions. Discover where protected information is located in your enterprise.
Prepare:
- Conduct GDPR assessments, assess and document GDPR-related policies
- Assess data subject rights to consent, access, correct, delete, and transfer personal data
Discover:
- Discover and classify personal data assets and affected systems
- Identify access risks, supporting privacy by design
Security requirements
Assess the current state of your security practices, and identify gaps and design security controls. Find and prioritize security vulnerabilities, as well as any personal data assets and affected systems to design appropriate controls.
Prepare:
- Assess security current state, identify gaps, benchmark maturity, establish conformance roadmaps
- Identify vulnerabilities, supporting security by design
Discover:
- Discover and classify personal data assets and affected systems to design security controls
Privacy requirements
Develop a GDPR roadmap and implementation plan. Use the findings in the assess phase to develop next-step activities and help reduce risk in the enterprise.
Roadmap:
- Create GDPR remediation and implementation plan
Privacy by design:
- Design policies, business processes and supporting technologies
- Create GDPR reference architecture
- Evaluate controller or processor governance
Security requirements
Design security remediation and implementation plan priorities by identifying personal data asset risks. Include a security reference architecture and technical/organizational measures (TOMs) for data protection, starting with security by design and by default.
Roadmap:
- Create security remediation and implementation plan
Security by design:
- Create security reference architecture
- Design TOMs appropriate to risk (such as encryption, pseudonimization, access control, monitoring)
Featured solutions
Privacy requirements
Implement and execute the controls in your GDPR strategy, including policies, programs and technologies. Transform the enterprise to be GDPR-ready.
Transform processes:
- Implement and execute policies, processes and technologies
- Automate data subject access requests
Featured solutions
Security requirements
Implement privacy enhancing controls such as encryption, tokenization and dynamic masking. Implement required security controls such as access control, activity monitoring and alerting. Mitigate discovered access risks and security vulnerabilities.
Protect:
- Implement privacy-enhancing controls (for example, encryption, tokenization, dynamic masking)
- Implement security controls; mitigate access risks and security vulnerabilities
Privacy requirements
Manage your GDPR governance practices through the use of GDPR-specific metrics. Understand how the enterprise is mitigating risks. Begin executive level and board reporting.
Manage GDPR program:
- Manage GDPR data governance practices such as information lifecycle governance
- Manage GDPR enterprise conformance programs such as data use, consent activities, data subject requests
Run services:
- Monitor personal data access
- Govern roles and identities
- Develop GDPR metrics and reporting schemas
Security requirements
Manage and implement security program practices on premises and in the cloud, such as risk assessment and mitigation, incident identification, escalation, response, forensics and resolution, personnel roles and responsibilities. Measure, document, and communicate program effectiveness to stakeholders. Monitor security operations and intelligence: monitor, detect, respond to and mitigate threats.
Manage security program:
- Manage and implement security program practices such as risk assessment, roles and responsibilities, program effectiveness
Run services:
- Monitor security operations and intelligence: monitor, detect, respond to and mitigate threats
- Govern data incident response and forensics practices
Privacy requirements
Enhance and refine your GDPR practices, identifying areas of concern and address as necessary. Effectively manage your controller/processor relationships and understand if associated technical and organizational measures (TOMs) are being followed.
Demonstrate:
- Record personal data access audit trail including data subject rights to access, modify, delete, transfer data
- Run data processor or controller governance including providing processor guidance, track data processing activities, provide audit trail, preparing for data subject access requests
- Document and manage compliance program: ongoing monitoring, assessment, evaluation and reporting of GDPR activities
Respond:
- Respond to and manage breaches
Security requirements
Demonstrate that you have implemented technical and organizational measures to ensure security controls are in place appropriate to processing risk. This includes producing audit reports and documenting metrics to measure progress. Document the security program itself including policies for ongoing monitoring, assessment, evaluation and reporting of security controls and activities. Respond to and manage incidents and breaches, reporting to regulators within the required 72-hour window.
Demonstrate:
- Demonstrate technical and organizational measures to ensure security appropriate to processing risk
- Document security program: ongoing monitoring, assessment, evaluation and reporting of security controls and activities
Respond:
- Respond to and manage breaches