IBM's journey to GDPR

IBM is one of the first to have a data privacy officer and an ethics statement that is woven into all new products and services to include built-in privacy and security. Learn more about the IBM journey to GDPR compliance using IBM solutions and the pathways methodology.

man and woman talking

Get started on your CCPA journey

Kick start your transition to CCPA readiness by using takeaways from your existing strategy for regulations like the GDPR. Then create a comprehensive game plan for data privacy regulations, rather than taking a fragmented approach.

Learn more about data privacy and protection

The GDPR is about personal data

Key for GDPR is the focus on personal data, any data that can directly or indirectly identify living individuals — we need to know what personal data the business uses, where it's stored, how it's processed and its lineage — where it comes from, what we do with it and where it ends up.

There are GDPR essentials every organization should have in place: defining, discovering, cataloging, and protecting personal data and managing consent.


Personal data is any information that can directly or indirectly identify a living, natural person. Direct identifiers include things like one's name, passport number and phone number. Indirect identifiers include things such as asset, financial, health and other categories. Use the IBM Industry Model framework if personal data is not defined already.

Get started:


Accelerate finding personal data across your business with IBM InfoSphere® Information Analyzer and IBM StoredIQ®. What's found can be added to a central inventory in IBM Information Governance Catalog. Accelerate defining and finding unstructured personal data with the StoredIQ GDPR Cartridges, defining an extended set of EU personal data across 11 languages. For structured data, use Information Analyzer.

Get started:


Expedite cataloging personal data into IBM InfoSphere Information Governance Catalog across all data sources, categories and types. This unified catalog can be the backbone of all your GDPR program tasks, actions and work streams. End-to-end you need to know what and where personal data is in the business, its lineage, and how you process and use it.

Get started:


The range of data masking and obfuscation capabilities from IBM can help de-identify any personal or sensitive information. This can be done in-place, across the common structure database system and application sources you have with IBM Optim™. Then, for data-minimization, use IBM Information Lifecycle Governance for retention policy disposal across all your data for GDPR.

Get started:

Manage consent

Our IBM InfoSphere Master Data Management solution provides a customer/data-subject 360-degree view, normalizing across all the data sources and different identifiers used for each person, with definitions for processing activities and purposes on that data. Data stewards can create, capture and update consent for data-subjects across all channels, then notify across existing event and notification frameworks in real time.

Get started:

Does the GDPR apply to you?

The GDPR has worldwide ramifications. Organizations around the world — not just those in the EU, but also those consuming goods and services from Europe — need to be ready for the EU GDPR. If you're providing electronic goods or services to anyone who's in Europe, be they a citizen, a temporary resident, or even if they're passing through a European airport for half an hour, potentially, GDPR may apply, and you need to comply with that. It may also apply to anyone in the world, anywhere, if you are profiling or doing analytics on them. 

GDPR practical data actions and accelerators from IBM can help your organization on its journey to compliance. Beyond compliance, they set the foundation to help strengthen and deepen the relationship you build with your customers and consumers as you provide more transparency on their personal data processing and protection. May 25, 2018, wasn’t the end of GDPR, it really just started and it will be an ongoing journey.

Take immediate action to step through on your journey towards compliance and key data actions around defining, discovering, cataloging and protecting personal data and managing consent to accelerate the readiness on every step of that journey.


Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation and the California Consumer Privacy Act. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.