How IBM transformed its global data privacy framework

By | 4 minute read | October 25, 2021

As the increase in data privacy regulation worldwide continues, it is more important than ever for organizations to establish a global framework for data privacy compliance.

The IBM Chief Privacy Office (CPO), in partnership with the IBM Global Chief Data Office (GCDO), took on this challenge over three years ago, in preparation for the enforcement of the EU General Data Protection Regulation (GDPR). The resulting IBM Unified Privacy Framework has helped streamline IBM’s global privacy compliance operations and reduce regulatory risk. The lessons learned from this experience have been used to strengthen IBM’s client offerings and has helped businesses accelerate the adoption of their own global data privacy framework. All the details can be found in the full case study, parts of which have been summarized below.

80% of all organizations will be required to comply with at least one privacy-focused regulation within the next few years.[1]

By the numbers

The sheer scale of IBM’s international business operations was a key challenge when creating a global solution:

  • 6,000+ internal processing activities and assets
  • Over 45 million website URLs
  • 400+ legal entities across more than 170 countries
  • 150,000+ partners worldwide
  • 13,000+ global suppliers
  • 350,000 employees

A people, process, and technology approach

The privacy related roles, processes and policies required to establish an IBM Unified Privacy Framework needed a comprehensive set of technologies to support them. The CPO and GCDO therefore created a suite of custom-developed tools, IBM software solutions, and third-party services geared to delivering privacy compliance at across the enterprise.

The CPO collaborated with IBM’s worldwide legal teams and GCDO for over twelve months to create a comprehensive Personal Information Taxonomy. This required detailed assessments of industry and regulatory compliance obligations and the creation of a reusable business vocabulary. The taxonomy was used to develop an Enterprise Privacy Baseline that consolidates global privacy requirements into a single set of control points that in turn underpins the overall compliance process.

The CPO also established a new Business Unit Privacy Lead (BPL) role with responsibility for implementing processes and tracking remediation actions within business units. The CPO supports the business units’ compliance activities through the development of common privacy services, standardized processes, and employee education.

Three examples of key technical supporting solutions include:

  1.  Privacy Information Management Systems (PIMS) – a custom-built application for managing contact information and inventory details for data assets and business processes that handle personal information.
  2.  Data Subject Rights (DSR) Automation – an intelligent case management workflow to manage and track DSR requests from reception through to timely resolution
  3.  Master Consent Management – an automated system to manage and control client user preferences, notices, and track informed consent across data assets and applications.

The Results 

The Unified Privacy Framework enables IBM to prepare for new regulations in a fraction of the time and effort required for the GDPR. It has also helped reduce the time required to respond to complex requests from customers who continue to demand greater transparency around regulatory compliance.

Real-time reporting and supplier risk management processes help the business perform its duties in a more informed, consistent manner, further reinforcing IBM’s reputation as a responsible data steward.

Several of the assets and approaches developed as part of the IBM Unified Privacy Framework are now being used to strengthen IBM’s offerings, enabling IBM clients to accelerate development of their own global privacy frameworks. Businesses following IBM’s lead could experience:

Shorter time to value

The IBM Personal Information Taxonomy is included as a Knowledge Accelerator within IBM Cloud Pak for Data. This provides a structured list of over 150 data types that contain personal information or sensitive personal information, employee, and customer data. Using this taxonomy, clients can accelerate their efforts ‘out-of-the-box’ by appropriately classifying data in an automated manner and at scale.

Continual data enrichment

IBM Watson Knowledge Catalog is a data catalog tool that powers intelligent, self-service discovery of data, models and more. It is used to automatically classify business data assets and enrich the underlying core business vocabulary. It also allows for safe and efficient ingestion of large quantities of new data assets.

Better DataOps ROI

A centralized repository of business knowledge is necessary for DataOps, acting as a foundation upon which Data Stewards and Data Consumers can coordinate to develop and deploy advanced AI and Machine Learning models within intelligent workflows.

Take the next step toward your Global Data Privacy Framework

The increase in data-related regulation shows no sign of abating, so take advantage of IBM’s Global Privacy Framework, including our blueprint for people, organization and process changes and our industry-leading advanced privacy automation tooling.

Combining the Personal Information Taxonomy Knowledge Accelerator within IBM Cloud Pak for Data, the unified governance, risk and compliance features provided by IBM OpenPages® with Watson®, and the cataloging and active management capabilities in IBM Watson Knowledge Catalog can help your business efficiently build a comprehensive solution you can trust.

Read the IBM CPO case study to learn about IBM’s approach to global data privacy compliance and contact one of our data privacy experts to discuss how IBM can help you accelerate your journey to a comprehensive data privacy framework.

 

Note: all numbers are approximate and subject to change over time

[1] The state of privacy and personal data protection 2020-2022, Gartner