Business challenge

Companies that control personal data of EU data subjects are required to understand the types of data, where it is, who owns it and the associated level of risk as part of addressing GDPR readiness.


As a key element of IBM’s GDPR reference architecture and common services, IBM Data Risk Manager helps uncover, analyze and visualize data-related business and compliance risks in a business context. 



data risks across thousands of applications and terabytes of data


critical information for responding to audits and reporting to executives

Helps avoid

fines that can result from non-compliance with GDPR and other regulations

Business challenge story

Assessing data risk in a global company

As a global company operating in more than 170 countries, IBM has longhad to address compliance with data privacy laws and regulations around the world. When the EU General Data Protection Regulation (GDPR) was adopted in April 2016, IBM saw an opportunity to refresh its privacy practices and enhance its products and services while preparing for the enforcement deadline of 25 May 2018. This wasaccomplishedby embracing GDPR globally, as a global transformation program of change across IBM, to benefit all clients.

That global program included, among numerous work streams, addressing the GDPR requirement to understand the type of personal data IBM controls, where it is, how it is used and who owns it. “The job involved examining more than 6,500 applications across the company, about 3,400 of which are critical from a GDPR perspective,” says Neera Mathur, Senior Technical Staff Member in the Global Chief Data Office. 

The results of this effort were collected in a central data privacy catalog, as a key first step in the journey to readiness. But a question remained: how to identify and evaluate the risks associated with the GDPR-relevant data under IBM’s control, and how to share that information with business leaders. 

IBM Data Risk Manager, along with Information Governance Catalog, helped us visualize and manage trusted data in a very short time.

Inderpal Bhandari, Chief Data Officer, IBM

Transformation story

What you don’t know can hurt you

IBM’s Global Chief Data Office, charged with developing a reference architecture and a set of common services for supporting business units in making their data stores ready for GDPR, selected IBM Information Governance Catalog for the central store of privacy data—the privacy catalog—and IBM Data Risk Manager to provide a visual data risk control center for executives and their teams—the risk regulatory dashboard.

By providing a business-consumable dashboard, Data Risk Manager helps privacy officers and data officers at all levels across IBM uncover, analyze and visualize data-related business risks so they can take corrective action. During the months leading up to the GDPR enforcement date, for example, Data Risk Manager could provide insights into instances when personal data could be moved to a system that had better controls for protecting it, when it should be encrypted, or when it could be deleted all together. Visualizations include maps of data residency as well as graphics focused on risk and vulnerabilities.

Now, working from the data store- and application-level information housed in the privacy catalog, Data Risk Manager can provide answers to the basic questions a regulator would ask: What personal data do you have? What is it used for? What applications, business processes and people have access to it? Who is the owner of this particular data store, and where is it located? And as changes are made to the privacy catalog, the updated information is reflected in the dashboard, supporting the ongoing requirement to address compliance with multiple data privacy regulations, including GDPR.

Data Risk Manager can perform at the global level across the company, by business unit or by application, allowing users to see only data that is relevant to their role. IBM’s Chief Privacy Officer and Data Privacy Officercan see the status of sensitive personal data IBM-wide, for example, while a business unit-level data privacy officer can only see data relevant to their operation or location.  

Results story

Visualizing and managing trusted data

“IBM is very diverse with many business units and thousands of applications that process personal data. Data Risk Manager, along with Information Governance Catalog, helped us visualize and manage trusted data in a very short time,” says IBM Chief Data Officer Inderpal Bhandari.

As a key component of IBM’s GDPR common services reference architecture, Data Risk Manager helps privacy officers across the company report on data risks and compliance posture for GDPR as well as other data privacy regulations and respond to requests for information from auditors or individuals within the company. 

And by visualizing risks so they can be readily identified, easily understood by business executives and addressed appropriately, Data Risk Manager can help IBM avoid fines levied for non-compliance with data privacy regulations, including GDPR.

IBM Global Chief Data Office

IBM is a recognized leader in data protection and complies with data privacy laws around the world. As part of IBM’s ongoing commitment to privacy by design, IBM has embedded data protection principles even more deeply into its business processes, products, and services so that our clients can better meet their own data protection objectives. In addition to enhanced security, IBM offers innovative data privacy and governance solutions that can assist clients and partners with GDPR compliance. Learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

Solution Components

Take the next step

To learn more about IBM Data Risk Manager, visit:

For more information on IBM Security solutions and services, visit: Follow us on Twitter at @IBMSecurity or visit our blog at