A May 2018 report by the IBM Institute for Business Value found that only 36 percent of surveyed executives believed they’d be fully compliant with the General Data Protection Regulation (GDPR) by the May 25 enforcement date. The GDPR, intending to improve data privacy for data subjects from the European Union (EU), has set a new standard for data privacy worldwide while sparking speculation, self-examination and organizational overhauls for security, privacy and compliance teams in the EU and beyond.
And for some organizations, this has caused a good deal of panic.
GDPR Enforcement in Full Effect
According to The New Yorker, the GDPR is “the most contested law in the E.U.’s history,” a statement illustrating just how impactful (and potentially disruptive) many believe GDPR enforcement will be. It’s perceived, however, that showing signs of progress toward full compliance may be enough to stay afloat for now. Though fines for GDPR noncompliance can reach as high as 20 million euros — or up to 4 percent of annual worldwide turnover — some believe it’s unlikely, according to GDPR.Report, that repercussions will reach this level of magnitude in the majority of cases, as long as efforts have been made in good faith to take steps toward compliance.
Staying afloat isn’t sustainable forever, though, and organizations still need to continue ongoing efforts toward compliance and maintain those levels once they’ve been reached. The May 25 date was by no means the end of the activity around GDPR compliance — it’s only the beginning of a much longer journey.
What can we potentially offer to the 64 percent of GDPR executives who didn’t think they’d be fully ready by the enforcement date — and more importantly, to the 18 percent who (at the time of the report) hadn’t even begun GDPR preparations?
A GDPR Framework
First and foremost, IBM Security offers a GDPR framework, providing a holistic approach to help organizations prepare for and meet GDPR requirements. The framework outlines requirements around both privacy (the controls within an organization around how personal or regulated information is collected, used and shared) and security (the technical safeguards to ensure data confidentiality, integrity and availability). It spans five phases: assess, design, transform, operate and conform.
With a regulation as monumental as the GDPR, simply jumping in without a plan won’t yield positive results. Identifying a framework to follow is a critical element of preparedness.
IBM Security Guardium Analyzer
Second, we offer a more practical suggestion: Think big, start small and deliver fast. One way to do this is to leverage software-as-a-service (SaaS) offerings that enable teams to immediately start taking the steps outlined in IBM Security’s GDPR framework.
To support these efforts, IBM Security announced the IBM Security Guardium Analyzer today, a SaaS offering that maps to the first step in the GDPR framework by helping organizations efficiently assess security and compliance risk associated with GDPR personal data and create a prioritized action plan. By combining advanced classification and risk-based vulnerability assessment, Guardium Analyzer identifies the cloud and on-premises databases most likely at risk under a GDPR-oriented audit — so you can take the right steps to minimize your risk.
The technology offers key capabilities, including encrypted connectivity to cloud and on-premises databases, next-generation classification using pre-built, IBM-provided data patterns or customized user-provided patterns, vulnerability assessments and risk scoring, which helps administrators prioritize vulnerable databases based on the amount of sensitive data they contain and that data’s level of sensitivity. Advanced filtering and sorting — along with intuitive, shareable dashboards that enable visual progress tracking and reporting — contribute to ease of use, a crucial element in the face of this complex regulation.
Guardium Analyzer helps organizations get a running start on their GDPR journey with a SaaS offering purpose-built for discovering, classifying and assessing the vulnerability of personal data. Remember: Even with the May 25 date behind us, these are needs organizations will have to continue addressing well beyond this initial enforcement period if they want to maintain compliance and continue building a strong data protection program.
The Transformative Power of the GDPR
Moving forward, the GDPR may even serve as a catalyst to spark greater innovation throughout security programs worldwide. According to the IBM report, 39 percent of surveyed executives saw the GDPR as a chance to transform security, privacy and data management efforts – with 91 percent agreeing that the GDPR will enable more trusted relationships with clients and new business opportunities. If these responses are any indication of what’s to come, then we have yet to see the transformative power of the GDPR.
The Data Protection Officer’s Playbook for GDPR
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.
Program Director, IBM Security