GDPR – Let’s Get it Started!

Share this post:

This week starts the real countdown – 1 year remains until GDPR goes live. Are You Ready?

What Me?

Yes you, if your company hosts or processes any data, anywhere in the world, on EU citizens, and if it contains their Personal or Sensitive Personal information. The GDPR will significantly raise the expectations of data rights, privacy, consent, control and access for EU citizen data. With some of the largest potential financial penalties for any failure to comply – up to 20 million Euro’s or 4% of global annual turnover, whichever is higher.

As in all regulations, there’s potential risk and challenges, but this is an opportunity – to both distinguish competitively as a trustworthy partner with customer and employee information and to be able to leverage the new digital market that GDPR opens up across Europe. GDPR is potentially creating an open digital marketplace across over 510 million EU citizens and 20 million businesses, with value opportunity around data portability, access and trust. How can this help your business differentiate? Are you ready?

Does it apply?

Probably yes, wherever personal or sensitive personal data on resident EU citizens, is hosted or processed anywhere in the world. That personal data needs to be stored and processed only for valid and current reasons and in a secure manner. What is that kind of data? Some examples;

Personal Data: Examples of customer contact information and employee records,

  • Name, Address, Telephone Number
  • Email and IP addresses

Sensitive Personal Data (Article 9) includes:

  • Genetic data
  • Biometric data
  • Where any of this is processed to “uniquely identify a person”, including “data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
  • Health data – “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject.”

Real World Examples – quickly become Sensitive Personal data centric…Think of a dating app that includes sexual preference as a selection option – this is Sensitive Personal Data. You’ve recently used a testing kit, taken a cheek swab and sent it in to any one of the various genetic heritage, health and testing services online – Sensitive. Your donations to your union, or political party affiliation… You’ve scheduled a taxi, Uber or car service ride for your child, to pick them up from school and take them home.

Use your industry practitioner communities and your country’s Data Protection Commissioner resources to research previous and current case studies, e.g.

What could happen?

Never mind the serious bet-the-business sized potential financial penalties, you may lose the customer trust in your services. With GDPR enabling open data portability, citizens are now empowered to easily take all their information they used to store in good faith with you, and rapidly take and transact that to a new replacement provider of your good and services. In this digital market and Smarter Planet, erosion of faith and trust can take but an instant is to echo around the world.

There’s been examples of what could  happen. Remember when there was only one phone carrier or provider, and then when it was easier to switch? Remember when such a switch didn’t provide the option, even the concept, of also preserving and transferring your current phone number? Now it could not be easier, mobile phone and data markets are digital, open and ever more customer centric. Similarly, in the UK since 2013, has been the Current Account Switch Service. This makes switching a current account between banks and building societies (credit union) simple . It handles migrating and preserving existing standing-orders and automated incoming and outgoing payments swiftly. When will all services be this open and put the customer first?

I’m not ready.

There’s no formal certification program. Use due diligence for any provider, service and especially technology that claims to make you certified or compliant. We’re all on this GDPR journey around our data, it’s value, our privacy and security.

There are proactive preparatory steps for you to have started already, or get on to today, with just a year now to go. Minimal table stakes should be reviewed and determined with your legal counsel and business risk and compliance teams. Those could include at least completing Personal Data discovery across your business, so you know both what types of personal and sensitive personal data you have, and where it is stored and used. Complete a data discovery OnRamp and then a Data Catalog. You’ll then be more informed about  meeting the requirements of Article 30 of GDPR and having a ‘record of processing’ of what personal data is where, and how it’s used in the business, for future GDPR regulator inquires.

Then depending on your industry and personal data used, you may need to plan to put in place more specific Consent management for that data with citizens, and have a Subject Access Request mechanism that will scale to your business needs and the potential volume of initial and ongoing citizen requests monthly. It may be best to find a balance and have a plan, even if execution can only start later this year or still be ramping-up once GDPR goes live. Realities to consider include all non-electronic information assets the business still keeps or needs. Could you find, summarize and dispose of all relevant information on paper for a citizen, within 30 days of their SAR Right to Erase request?

Another view of GDPR is it’s mandating – stop keeping everything forever. Start records management, good information governance in fact. No, storage isn’t cheap, the total cost and risk of ever more information can outweigh the simpler cost of expanding or refreshing storage. The fully loaded cost and Risk of that can quickly impact the business. Remember all those backup tapes and media – could they be in scope of any SAR Right to Enquire, Correct or Erase requests? How could you find and scale to that, never mind how would you find, change or remove one specific citizens information from such media? Likely that’s impractical, never mind uneconomic. And in 30 days. Good information governance tells us – use backup for very short term disaster recovery, not for archiving or long term storage of any information.

Is the Cloud the answer? It depends. Yes, it’s potentially easier and simpler to have more/all information in one place (be that on-premise, hybrid or cloud). But does that data-source or provider give you all the GDPR capabilities you need? Most cloud options today certainly offer the data security and access controls needed for many regulations. But for GDPR, do they really give you the option to define and find what personal and sensitive personal data you’ve given them to host? Do they give you a workable consent management or Subject Access Request method, at enterprise scale? Or would you need to find and export all relevant information per case, to further review and determine your SAR response and action (e.g. Can I Erase it?) to a data subject within 30 days. What are the contractual terms and potential additional costs for getting more data Out of your cloud quickly?

Risk readiness.

If with a year to go, you are just really getting started – you’re not alone. There’s prescriptive steps you can start with. If you’ve no immediate plan nor sense of what to do, call in support to help you with some form of risk readiness assessment. This can rapidly give you the facts of the current state of the business, and the major risk and cost areas and help you flesh out a plan of action – focused on the immediate priorities you can execute.

There’s a wide range of peer and stakeholder communities of practice to leverage. One is the CGOC – Compliance, Governance and Oversight Council – connect for free at with peers in the same industry, learn leverage and re-use what they are doing around GDPR already. Don’t reinvent the wheel, there’s no time to waste.

Look into and keep on top of what the GDPR Article 29 Working Party have and will continue to publish. Launched in 1996, the Article 29 Working Party is made up of a representative from the data protection authority of each EU member state to provide expert advice and opinion around data privacy regulations. GDPR will replace WP29 with the European Data Protection Board (EDPB). Published already are guidelines on data portability, DPO’s and lead supervision authority.

Unified Future.

GDPR in the end can help you find, leverage and provide competitive value to your customers. It’s an opportunity look across your business and how to create, capture and use information, not just at the entry and engagement points with clients but across the whole lifetime and lifecycle. Use a strategy to stay agile and flexible. A strategy towards Unified Governance can help as a framework for open compliance and analytic differentiators. Providing your business the flexible ability to leverage competitive value across both Governance for Insights and Governance for Compliance. We’re excited for our upcoming Signature Moment to Fast Track Your Data event to demonstrate Unified Governance on June 22nd. Can you join us in Munich live, or else via our livestream worldwide? I’m looking forward to sharing and showing GDPR capabilities as a part of this – see you there – Let’s Get It Started!

#IBMML #GDPR #infogov

*Notice:  Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.  The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Global GDPR & Governance Offerings Evangelist, IBM

More stories

Highlights from IBM Think 2018: Wednesday

Today was another exciting day of  announcements, talks and demos at IBM Think. For those who didn’t get a chance to hear the news on the ground, here’s a recap of some of the most exciting stories of the day. Leaders from IBM and VMware teamed up with top clients to share insights about the […]

Continue reading

Highlights from IBM Think 2018: Tuesday

Today was an action-packed day at Think 2018. The biggest news was the address from IBM Chairman and CEO Ginni Rometty, but there were also exciting announcements on everything from new products to crucial partnerships. For those who didn’t get the chance to hear the news on the ground, here is a quick recap of the […]

Continue reading

Your documents + AI equal world domination

I’m a movie buff and any movie that deals with machines, technology and artificial intelligence eventually taking over the world has got me hooked. While world domination by machines that can learn is not a matter of immediate concern, it still gets some folks nervous. On the other hand, what gets me excited about it […]

Continue reading