General Data Protection Regulation (GDPR)

GDPR and security: balancing crisis and reputation management

Share this post:

A recent survey by Hurwitz & Associates shows that a surprising number of companies are not yet prepared for GDPR-related financial and reputational risks. Those findings are remarkable. Of course security is nothing new: there are already existing laws on data protection and in essence it is not unreasonable for people to expect that organizations take every precaution to safeguard the sensitive personal information that is entrusted to them.

In the past, it was possible to choose how to handle breach. Once GDPR is here, active communication will be the only option, and you may incur potential fines for breach, as well as risk harm to your company’s reputation. In the Netherlands, we have made a head start on implementing this new legislation; this rule has been in force since 1 January 2016.  Companies have to report data leaks within 72 hours. Of course, you want to prevent unnecessary communications about interventions. In short: how can you ensure the right balance between crisis and reputation management?

Essentially, this is all about three Cs: Confirm, Control and Communicate. First, you need to quickly and accurately confirm that there has been a Personal Data breach. Next, you must check the nature of the data involved (identified during the prior risk and data assessment phase) and what has happened to it, to determine the impact and decide what the next steps need to be, based on the risk level.  Then you have to inform the individual data subjects affected without delay, unless the data was encrypted. The communication to data subjects must describe the nature of the breach AND recommendations for mitigation. You must also inform the supervisory authorities And do that within 72 hours, and the authority may still require you to communicate the breach to data subjects. If such data subject communications would take a disproportionate effort then then public communications methods can be used to to update data subjects in an effective manner.

Confirm and control activities can be done using security solutions, such as IBM Security Guardium.  Guardium not only helps you protect your data in various ways, but also makes it possible to see who may have tampered with data and when – even within cloud based networks. If there has been a potential data breach, recommendations based on your business workflow support you take the right steps of the escalation process in time. As an organization, you can have the right tools at your disposal to handle the communication process with the authorities/regulators, clients and staff.

For instance, a large French bank used Guardium to help secure and protect data on 400 servers containing 150 sensitive applications, and support their GDPR requirements at the same time. The bank has automated its data compliance, audit processes and workflows, including consolidating audit records and sending report notification and distribution to oversight teams, speeding sign-offs and escalations. This also helped the bank show that they had prepared ahead to minimize the likelihood of a data breach.

The final C, communicate, is the responsibility of the organizations involved. Based on all steps that have been taken to confirm and control the data breach, the Data Protection Officer (DPO) and external relations can actively send out consistent.

Curious to know more? Learn how you can simplify getting ready for GDPR from a few best practices and get a grip on your crisis and reputation management.


IBM nominated as ICT service supplier – Computable Awards 2017

Privacy issues are changing and the new legislation is leading. In May 2018, the new GDPR legislation will become effective, with new requirements for processing and processing personal data. IBM is one of the largest data processors and has acquired the necessary knowledge with previous privacy laws. It has resulted in a GDPR-specific architecture framework that IBM offers as a service. The main purpose of the GDPR assessment is a roadmap that prepares an organization for this GDPR legislation and to test risk factors in the organization of the client.

The complete jury report (in Dutch)

Vote for ICT service supplier of the year – IBM – Computable Awards 2017!

Notice:  Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.  The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

European GDPR Offering Leader, IBM The Netherlands

More General Data Protection Regulation (GDPR) stories

Artificiële Intelligentie: Nieuwe mogelijkheden voor de overheid

(reading time 5 minutes) Ontdek de visie van Sreeram Visvanathan, IBM Global Managing Director, Government. Elk bedrijf heeft klanten waar ze veel om geven. Of u nu een retailer bent die Italiaanse meubels verkoopt, een elektronicabedrijf dat de modernste apparatuur maakt, of een olie- en gasbedrijf bent of een bank, de klant is koning. Maar […]

Continue reading

Nederlanders zijn creatief

Als we horen dat er een grote ov-staking komt, bellen we moeders voor een rit naar kantoor, openen we de IJ-tunnel voor fietsers. Gaan we naar de rechter om te zorgen dat we toch met de trein naar Schiphol kunnen of blijven we lekker thuiswerken. Dit geeft extra tijd om eens rustig na te denken […]

Continue reading

Mijn perfecte start van de dag

Diegenen die mij kennen weten dat ik de dag graag begin met een vers bakje koffie. Het geeft mij de kick om de dag fris en energiek te starten. Ik heb een mooi apparaat die voor mij de bonen maalt en daarna een heerlijk vers, op maat gemaakt bakje koffie voor mij maakt. Een heerlijk […]

Continue reading