IBM, a global IT company, is one of the world’s largest information processors. It is therefore imperative that we fully comply with the European Privacy Act (GDPR), which will take effect soon. To this end, we provide customers with a variety of information protection, security and management services.

This preparation program is divided into a series of workflows to cover various areas of IBM. For example, IBM offers services to its subsidiaries such as The Weather Company, IBM’s way of processing information for customers using IBM products, and common services used internally as well as by external customers. Of the information security.

“As IBM prepares, the preparatory program is evolving,” said Richard Gordon, a global GDPR evangelist at IBM. “The recently added workflow is about auditing, and we will see that compliance and compliance are maintained in different workflows and verified and verified across the enterprise.”

IBM continues to document the process of developing GDPR-related procedures. Therefore, we will be able to clearly communicate the measures taken internally for regulatory compliance to regulators.

Grasp information

The GDPR requires each company to know the type and location of information held in detail. “Once the GDPR comes into force, we need to know exactly what personal and sensitive information is, because there may be additional information protection obligations on that information,” Ho said.

IBM has developed a ‘pathways framework’ to identify and classify this information. The company’s Chief Information Officer and Chief Information Security Officer take the lead and designate a key liaison for each division and are responsible for compliance. They identify the exact scope and schedule of what they need to do based on their workflow and differential analysis assessments.

“The first step is to implement information protection risk assessment and advanced mapping,” Ho said.

IBM’s key business units and services are evaluated where they are on the path to GDPR compliance goals. IBM then develops programs that fill the gap in each workflow and establishes the necessary technology and organizational measures.

This process involves a detailed search of the source of priority information. Some of the personal information is listed in the central list. To enable the company to manage records of information processing activities and to respond to requests from regulatory authorities or information authorities.

High-risk information, such as those obtained through IBM’s Watson Health, is an area of ​​particular focus.

IBM, operating in more than 170 countries, must meet a number of overlapping regulations around the world. To ensure that employees understand their personal obligations as well as compliance requirements, the company conducts regular training and offers programs specifically designed to prepare for GDP.

“Information protection and information ethics are a fundamental part of IBM and are included in the annual ethics training for all employees,” he added, adding “intensive and simple GDPR on top of that.”

Privacy Optimization Design

GDPR emphasizes privacy-by-design, which is included throughout the company. These principles were already the foundation of management at IBM. However, to meet the specific requirements of the GDPR, IBM has redesigned its practices.

“We have done a thorough assessment of the impact of information protection on our products and services,” he said. “We will look closely at how each product handles exactly what personal information it handles.”

The object of such evaluation is the generation, capture, and storage of information, including the processing of IP addresses, which is a form of individual identifiers. For companies such as IBM that already have a high level of information security practices across the enterprise, GDPR can be an opportunity to improve practices rather than hinder the business.

There is an opportunity to focus on and strengthen the overall process of ensuring that information is being properly identified and processed throughout its lifetime,” Ho said. IBM had procedures to monitor, process, and report security breaches that were revised to meet GDPR obligations.

Under GDPR, the consent requirement of the data subject is also strengthened. It should be specific, detailed and auditable. IBM therefore examined each business area to determine when user consent was required.

 

Ho said that “consent is not a panacea that must be or must be applied everywhere.” “It is only one of six legitimate dispositions of the GDPR, and it is the most difficult and burdensome obligation to choose to consent.” The various kinds of personal information we are dealing with today are already being legitimately handled in normal business processes So you do not have to agree on everything, but IBM looks at all of your services with you and decides what you need to consent to. It simplifies and consolidates the burden on both the company and the data subject. We are promoting the consent service common to all companies. ”

New Rights

GDPR grants a series of enhanced subject access rights to information entities. The right to information, the right to modify, the right to delete, and the right to information mobility. In response to these requests, IBM has the ability to capture, certify, and certify requests through enterprise-wide information gathering and information management.

 

“Once we authenticate the requestor, we can quickly find 15 places where we can find information about the person. We go there and collect, analyze and review that information through in-depth searching.” .

 

There is no obligation for companies to fulfill all information requests. IBM reviewed information management policies and legal hold obligations to manage requests in accordance with other responsibilities and company requirements under the GDPR.

Hog’s advice to other companies is simple. “From an IBM perspective, to be ready for May next year, at least an assessment of the impact of information protection needs to be completed. Some of our customers are starting now, but there is still no time to complete them. Prepare an initial list of the company’s personal information, including its location, pedigree, and process, which will be the basic data that can be used as part of the Article 30 response when regulatory authorities come in May. The program should evolve and repeat, especially when a total check or rehearsal is initiated, a total check or rehearsal must be present in any program, It’s a core test. ”