31/08/2017 | Written by: Christophe de Melio
Share this post:
From cost-driven to a risk & value-driven approach
We now all know it’s coming in less than a year. Still, the new GDPR regulation is keeping many executives awake at night. Non-compliance may lead to significant fines of up to 20 million euro of 4% or the total annual worldwide turnover, whichever is higher. But I tell my clients: don’t fear GDPR. Yes, GDPR is fast approaching, but more regulations are likely to follow. Look at GDPR as an opportunity to obtain resources and budgets to restructure your data strategy and governance as you take the next step in becoming a data-driven organization. Find here more information on how IBM can support your GDPR journey.
Mind the gaps
Let me start with an example: I recently requested a new credit card. As it turns out, my bank sent the credit card to my old address. When I contacted my bank about it, it seemed that they couldn’t find the old address in their systems… Do I then trust my bank, if they ask my consent to use personal data for potentially providing better service? Typically, organizations store way too much data, in fact analysts report more than 50% of all data stored no longer has any real business value after 1 year. They also struggle with dark data, where personal data and highly confidential information can also be stored without them knowing. Personal data is often stored in emails, on desktops or fragmented in invisible locations, but any breach – as recent worldwide data breaches have shown, could easily uncover these and potentially do a lot of damage.
Fortunately, many organizations have, by now, involved their legal support team to translate GDPR regulation into strategies; it’s important to take a global look at the implications and build a strategy that considers security, analytics solutions but also data governance. One of the first things I recommend my customers, after they obtained advice from their legal department, is to do an assessment to identify major risks and opportunities. These must focus of course on the articles as outlined in the GDPR regulations, but also consider all aspects related to security and the potential costs of a data breach. If you would like to have a conversation about activating an assessment you can request more info completing this form. Next to an assessment, it is critical to focus on how you can deploy a value/risk based data approach to ensure you get the most out of your data. Also, make sure you put the right projects and organization strategies in place to ensure a company-wide view and compliance is established.
Once a heatmap with major gaps and priorities has been created, you can start working on defining one customer data journey and a functional strategy with clear capabilities that are needed to work towards GDPR readiness. More and more companies are now moving from the initial assessment phase, towards the roll out of concrete projects and programs. With that comes an even bigger need for data transparency. It’s very likely that many companies will not be compliant next year. But at least they will need to be able to show what steps have already been taken and what strategies have been defined. The level of readiness compared to other companies, will very likely weight in determining potential fines. It can be compared to parenthood. You may think you’re the best mom or dad in the world, but only if you look around and compare yourself with others, you can determine how good you really are.
The more others do, the more you must do. This will drive organizations to clearly define their data architecture strategies, with detailed descriptions of stored data and user guidelines, along with the right tools to access and use data efficiently across their organization. This will allow companies to report their progress around GDPR in an effective way.
Like many other companies, IBM realizes that GDPR offers a major business opportunity to unlock business value and reduce organizational risks.
Going back to my personal credit card story. GDPR is driving my bank to manage their data and data lifecycle better. Assessments will lead to a full understanding of all locations used for personal data storage. My bank will, as part of their GDPR strategies, need to catalogue and describe all applications that contain my personal data. From that point, they can better manage customers’ personal data and accuracy of date across all systems. As a result, the trust I have in my bank and their attitude towards dealing with my data – and my consent in this, will most likely increase and allow them a broader range of analytical use.
Every single security, compliance, data classification or governance tool that you consider purchasing for GDPR, should be placed in a bigger context and as part of a company-wide shift towards a data-driven organization and one streamlined customer journey. The other way around is true as well. If you have a great security tool already, see how you can complement it with tools and services that help you in your journey towards GDPR readiness. Finally, it’s likely that GDPR – and with that your GDPR strategy, will evolve over time. Make sure you embrace unified governance as an ongoing business focus, to constantly improve your business operations and efficiencies.
Get further information about IBM’s offerings here: The GDPR: It’s coming -and sooner than you think. Are you prepared?
IBM provides governance and security solutions to customers that enhance existing-market leading applications with GDPR-specific accelerators or templates to support customers in their journey . At the same time, customers, can take advantage of these solutions for their global Governance or Security strategies.
IBM has developed a set of GDPR-specific assessments to help customers get a clearer view on their situation and identify potential focus areas. These assessments range from very deep/complete assessments covering all aspects of GDPR to more targeted assessments. They can focus on data discovery to get a sense of where your personal data is stored or DPIA (Data Protection Impact Assessments) which is more focused on data security. High level global assessments are also offered to assess the organizational and governance situation.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.