Getting Ready for the New General Data Protection Regulation
GDPR is coming and with these new security standards industry experts are racing to make sure businesses are compliant.
With the GDPR compliance deadline of May 2018, IBM investigates the opportunity to not just meet the regulation but transform and deepen trust and relationships with customers around their “personal data.”
In a recent KMWorld webinar, experts at IBM, including Richard Hogg, global GDPR & governance offerings evangelist; Amir Jaibaji, Program Director - WW offering management, information lifecycle governance; and Elaine Hanley, senior offering manager, industry models, discussed a framework for the GDPR journey.
IBM’s overall GDPR framework guide to readiness includes steps such as assess, design, transform, operate, and conform.
GDPR raises several risks for companies including consent and purposes of processing; effective culture change; third parties and the data supply chain; vexatious access requests; and establishing a data privacy capability and effective EPO.
Understanding, defining, and documenting the business meaning of data becomes more important as the scope of data management extends to all sources of knowledge within an enterprise, and as regulations such as GDPR are supported, according to the experts.
IBM’s Business Vocabulary has pre-built:
- Representations of industry terminology, including GDPR
- 1000s of industry-specific Business Terms representing the common language of your business, cross referenced with GDPR terms.
- Sets of enterprise-wide KPIs which help you define reporting requirements, including GDPR
Key GDPR duties, obligations, and sanctions:
- Data controllers must implement technical and organizational measures demonstrating compliance with GDPR core principles
- Ensure the rights of data subjects are met and that only data necessary to the specific purpose are processed
- ·Need to demonstrate compliance with the principles relating to personal data processing pervades throughout the GDPR
- Include lawfulness, fairness, transparency, purpose/storage limitation, minimization, accuracy, integrity, and confidentiality
- Enhanced rights for data subjects in the EU including access, rectification, erasure, restriction, portability and objection
- Easier access to personal data with more information on processing available both clearly and understandably
- Obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
- Includes 72H breach reporting to regulatory authorities and without undue delay to individuals in high risk scenarios
- Processing only lawful if one of: consent, necessity, legal obligation, protection, public or legitimate interest or official authority
- Consent must be freely given, specific, informed, unambiguous and if a special category or certain other scenarios, explicit
An archived on-demand replay of this webinar is available here.