GDPR (IBM)

Overview

With an enforcement date of May 25, 2018, the GDPR is designed to unify data privacy requirements across the European Union (EU). If you market to or process the information of EU Data Subjects – which include end users, customers and employees – you need to learn how to address these key requirements.

Where are you on your GDPR journey?

Starting at the beginning

The GDPR readiness assessment from IBM® can help you identify the areas of your business that will be affected by GDPR and evaluate your current practices against the requirements. Get started with the GDPR readiness assessment from IBM, which includes a gap analysis and a roadmap for moving forward.

Gaining traction

The IBM Security Guardium® Analyzer solution allows you to apply a next generation classification engine with pre-built GDPR oriented data patterns as well as vulnerability scans for your data in-order to provide your compliance or audit teams with prioritized risk information.

Operationalizing your program

The Resilient Incident Response Platform can help you fulfill GDPR obligations and help streamline your incident response and breach notification time. GDPR-specific components have been incorporated into the platform, including the GDPR preparatory guide, the GDPR simulator, and the GDPR-enhanced privacy module.

Phases

Privacy requirements

Assess your current data privacy stature under all of the GDPR provisions. Discover where protected information is located in your enterprise.

Prepare:

  • Conduct GDPR assessments, assess and document GDPR-related policies
  • Assess data subject rights to consent, access, correct, delete, and transfer personal data

Discover:

  • Discover and classify personal data assets and affected systems
  • Identify access risks, supporting privacy by design

Security requirements

Assess the current state of your security practices, and identify gaps and design security controls. Find and prioritize security vulnerabilities, as well as any personal data assets and affected systems to design appropriate controls.

Prepare:

  • Assess security current state, identify gaps, benchmark maturity, establish conformance roadmaps
  • Identify vulnerabilities, supporting security by design

Discover:

  • Discover and classify personal data assets and affected systems to design security controls

Privacy requirements

Develop a GDPR roadmap and implementation plan. Use the findings in the assess phase to develop next-step activities and help reduce risk in the enterprise.

Roadmap:

  • Create GDPR remediation and implementation plan

Privacy by design:

  • Design policies, business processes and supporting technologies
  • Create GDPR reference architecture
  • Evaluate controller or processor governance

Security requirements

Design security remediation and implementation plan priorities by identifying personal data asset risks. Include a security reference architecture and technical/organizational measures (TOMs) for data protection, starting with security by design and by default.

Roadmap:

  • Create security remediation and implementation plan

Security by design:

  • Create security reference architecture
  • Design TOMs appropriate to risk (such as encryption, pseudonimization, access control, monitoring)

Privacy requirements

Implement and execute the controls in your GDPR strategy, including policies, programs and technologies. Transform the enterprise to be GDPR-ready.

Transform processes:

  • Implement and execute policies, processes and technologies
  • Automate data subject access requests

Security requirements

Implement privacy enhancing controls such as encryption, tokenization and dynamic masking. Implement required security controls such as access control, activity monitoring and alerting. Mitigate discovered access risks and security vulnerabilities.

Protect:

  • Implement privacy-enhancing controls (for example, encryption, tokenization, dynamic masking)
  • Implement security controls; mitigate access risks and security vulnerabilities

Privacy requirements

Manage your GDPR governance practices through the use of GDPR-specific metrics. Understand how the enterprise is mitigating risks. Begin executive level and board reporting.

Manage GDPR program:

  • Manage GDPR data governance practices such as information lifecycle governance
  • Manage GDPR enterprise conformance programs such as data use, consent activities, data subject requests

Run services:

  • Monitor personal data access
  • Govern roles and identities
  • Develop GDPR metrics and reporting schemas

Security requirements

Manage and implement security program practices on premises and in the cloud, such as risk assessment and mitigation, incident identification, escalation, response, forensics and resolution, personnel roles and responsibilities. Measure, document, and communicate program effectiveness to stakeholders. Monitor security operations and intelligence: monitor, detect, respond to and mitigate threats.

Manage security program:

  • Manage and implement security program practices such as risk assessment, roles and responsibilities, program effectiveness

Run services:

  • Monitor security operations and intelligence: monitor, detect, respond to and mitigate threats
  • Govern data incident response and forensics practices

Privacy requirements

Enhance and refine your GDPR practices, identifying areas of concern and address as necessary. Effectively manage your controller/processor relationships and understand if associated technical and organizational measures (TOMs) are being followed.

Demonstrate:

  • Record personal data access audit trail including data subject rights to access, modify, delete, transfer data
  • Run data processor or controller governance including providing processor guidance, track data processing activities, provide audit trail, preparing for data subject access requests
  • Document and manage compliance program: ongoing monitoring, assessment, evaluation and reporting of GDPR activities

Respond:

  • Respond to and manage breaches

Security requirements

Demonstrate that you have implemented technical and organizational measures to ensure security controls are in place appropriate to processing risk. This includes producing audit reports and documenting metrics to measure progress. Document the security program itself including policies for ongoing monitoring, assessment, evaluation and reporting of security controls and activities. Respond to and manage incidents and breaches, reporting to regulators within the required 72-hour window.

Demonstrate:

  • Demonstrate technical and organizational measures to ensure security appropriate to processing risk
  • Document security program: ongoing monitoring, assessment, evaluation and reporting of security controls and activities

Respond:

  • Respond to and manage breaches