What is a holistic approach to data protection?

Research by Gartner® predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations by 2024.¹ Your task as a data leader is to navigate increasingly complex policies and technologies so you can ensure that sensitive data is both accessible and protected. Data protection is the umbrella term that encompasses privacy, compliance, data security and data ethics. Taking a holistic approach to data protection and cybersecurity is a safeguard against cyberattacks, including ransomware, and maintains regulatory compliance to avoid costly fines, deliver trustworthy AI and create exceptional customer experiences.

In 2022, the cost of data breaches reached an all-time high, averaging USD 4.35 million.² And that doesn’t account for the hidden costs to brand reputation and customer loyalty. Consumers want their personal data protected, and policymakers have responded with new data privacy regulations. Organizations unprepared for this new era of data compliance needs could pay a high price. As more regulations like GDPR, CCPA and LGPD emerge, it’s becoming a global expectation for organizations to weave holistic data protection into their overall data strategy.

This approach is not just about looking at how data is collected and then keeping it compliant and private; it’s also about understanding how sensitive data is being used in the world today. It forces organizations to ask questions like: Is it ethical to collect this data? What are we doing with this information? Have we shared our intentions with individuals from whom we’ve collected this data? How long and where will this data be retained? Are we up to speed on risk management and advances in malware? Anyone in the business of collecting data, especially an organization’s leadership, should be extremely well-versed in these conversations.

“It really does start way up at the top,” says Neera Mathur, Distinguished Engineer and Chief Trust Officer leading data privacy engineering strategies and solutions at IBM. “IBM CEO Arvind Krishna’s famous statement is, ‘Trust is our license to operate.’ I think that tells it all. When an individual provides their data to IBM and we manage it properly, as in protect it properly and ethically, we increase trust with the individual working with us. To me, responsibility starts at the top then filters down to all of our businesses.”


Research by Gartner® predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations by 2024.¹

4.35 M

In 2022, the cost of data breaches reached an all-time high, averaging USD 4.35 million.²

The pillars of data protection

Three key pillars—data ethics, data privacy and data security—function together under the umbrella of data protection to support a flexible framework built for ever-changing regulations and business expectations, and to uphold user confidence.

Pillar #1


Data ethics

Your organization’s cultural views on data protection inform the way data privacy and security policies are enacted and executed. Harvard Business School defines “data ethics” as the moral obligations tied to gathering, protecting and using personally identifiable information, as well as the impact these actions have.³ To make responsible decisions around data and promote trustworthy AI, consider the following principles of data ethics.



Getting data ethics right begins with knowing who owns the data you’re using. Just because a user gives you data doesn’t mean you own it. Consent is a must—and so are data protection and data respect. Upholding data integrity means never abusing data and disposing of that data as soon as you’re done with it.



In data protection terms, transparency means being clear with customers about how their data is used. According to Pew Research Center, 81% of people say the potential risks of data collection outweigh the benefits.⁴ To overcome this historic mistrust, empower users to understand the purposes and lifecycle of customer data so they can feel comfortable that your organization will use it properly and with best intentions.



When a company collects information, stores it and analyzes it, that information should not be used, stored, shared, maintained, retained or disposed of outside of the agreed purposes for which it was originally obtained. This instance is where data privacy strategies come into play again to help strengthen data ethics and security policies.



Whether your organization is a solution provider or a digital provider, always be clear on your purpose when using data and machine intelligence. Trustworthy AI ensures that users understand how data and technology work together and why AI makes the decisions it does. Tools to increase our trust in AI—such as explainer toolkits, taxonomies of AI techniques and AI governance solutions—help users know your intentions so they can trust in your technology, your processes and the outcomes of their data use.



Data breaches, ransomware attacks and slipups are harmful to customers and will test their patience, loyalty and faith in your organization. Because these problems can and will arise, it’s vital to put risk management safeguards in place. One IBM study found that companies that have fully deployed AI and automation as part of their security strategy save an average of USD 3.05 million in data breach costs compared to those who have yet to do so.

Pillar #2


Data privacy

Data ethics is about establishing an enterprise culture of principled behaviors and practices for data management. Ideally, this culture of ethics and data literacy is adopted across your organization and reflected in your products and operations.
Data privacy, on the other hand, is about defining the policies and practices that activate these principled behaviors through people, business processes and technology, and operationalizing them across the lifecycle of data, from collection to storage. This method is the essence of creating—and automating—a solid data governance framework as part of a data fabric approach.

Data governance helps strike the balance between limiting access to data to ensure privacy and enabling wider access to data for improved analysis. To make it more seamless for your organization to use data while also protecting against unauthorized access, you’ll need to implement the right data privacy tools, such as data access controls. Combine these with AI, such as anonymizing sensitive data so it can be used in a nonidentifiable way or tagging data to allow for policy enforcement.

Having the right data architecture, such as a data fabric—combined with rigorous data management—goes a long way to ensuring that private data remains private and secure, while still allowing data users to gain insights from it.

“Your data protection framework needs to be extremely elastic and very responsive in order to deal with the unknowns of regulatory changes, third-party data, AI regulations and whatever the next 25 developments will be,” says Lee Cox, Vice President, Services, Compliance & Research, Chief Privacy Office at IBM. “There’s way more synergy between privacy and ethics and data governance than we ever anticipated. But the technology we now have is enabling us to rely confidently on data at scale with far more efficiency than we ever did before.”

Benefits of data privacy

Benefits of data privacy

Data privacy is first and foremost about protecting customer data and maintaining trust amid shifting regulations. But in today’s marketplace, that’s also a business differentiator. “Privacy is part of a competitive advantage story that touches on practices across our company and contributes directly to revenue as we build the technology that supports our privacy program globally,” says Christina Montgomery, IBM Chief Privacy Officer.

The introduction of GDPR in 2018 challenged many organizations, including IBM, to accelerate development of their privacy programs. For a global company, a logical first step is harmonizing and consolidating local legal requirements into a global privacy compliance framework. For example, by classifying and consolidating metadata from thousands of existing data repositories into a central data fabric, IBM can now quickly determine what types of personal information are being processed across the company, by whom, and where that data is stored. Having a unified privacy framework (PDF, 4.7 MB) provides a metadata-driven approach and single trusted source of truth that has been fundamental in reducing IBM’s exposure to regulatory risk.

Learn how to stay ahead of ever-evolving data privacy regulations.

Elements of data privacy

Elements of data privacy

Organizations that go beyond simple regulatory compliance can build trust with customers and stand out from competitors. This holistic, adaptive approach to data privacy yields other rewards too:

Understand data risk
Assess data use and risk against customer and regulatory responsibilities.

Secure data sharing
Protect personal data with cybersecurity controls to deliver trusted experiences.

Automate incidence response
Respond efficiently to remediate risk and compliance issues and scale more easily.

Pillar #3


Data security

“Technology is evolving, but the threats are also growing exponentially,” says Mehdi Charafeddine, Distinguished Engineer and Global CTO for Data Platform Services at IBM. “Fortunately, there are more and more sophisticated ways to apply data protection and support data privacy.”

According to Gartner, data security comprises the processes and associated methodologies that protect sensitive information assets, either in transit or at rest. That’s why data security is really all about the tools and software used to protect data privacy, whether that’s encryption, multifactor authentication, masking, erasure or data resilience. But establishing appropriate controls and policies is as much a question of organizational culture as it is of deploying the right apps and algorithms.

From a technology standpoint, you can safeguard data with data fabric architecture, which protects data at the “front door,” where users interact with data at the point of the application, and at the source or “back door” where data is generated and stored, not to mention everywhere in between. This front door, back door approach is crucial to ensuring appropriate data security policies and controls are in place.

“Many of our clients operate in multiple geographies,” says Priya Krishnan, Director of Product Management for Data Governance, Data Privacy and Data Science at IBM, “so their data scientists have wanted to run analysis across geographies. But often they can’t share the data due to silos or not having central governance. Their old solution was ‘imagine and simulate the data and do your models.’ But with the implementation of data fabric, an organization can give the data to the data scientists with the right governance and privacy rules in place so they feel like they really are running a cross-organization initiative.”

Weaving data security measures into end-to-end data management is important in supporting both security and privacy, especially for sensitive data. Take medical research at a hospital, for example. The hospital may be collaborating with third-party experts or data scientists who need to work on specific data or applications without being able to see any regulated or personally identifiable information. Automated role-based data policies can enable collaboration with different parties while also protecting the data from a privacy and compliance standpoint at the application level. At the same time, for trustworthy AI, that data must be safeguarded at the source where it’s stored, for example, the database on premises where it was first collected. Otherwise, patient information is still vulnerable if a cybercriminal were to infiltrate these systems.

When data security is done correctly, it incorporates people, processes and technologies and builds trust in AI. Explore the following best practices for making information security a priority across all areas of the enterprise.

Know where data resides and who has access

Know where data resides and who has access

The key steps in protecting sensitive data include automating visibility, contextualizing, controlling access policies and implementing ongoing monitoring to identify vulnerabilities and risks before they become breaches.

Secure data to prevent a catastrophic breach

Secure data to prevent a catastrophic breach

Support a zero trust approach to data management with an integrated suite of capabilities, including automatically created and securely isolated data copies that can tackle cybersecurity gaps in on-premises or hybrid cloud deployments.

Simplify compliance

Simplify compliance

Addressing the growing number of privacy mandates is difficult enough. Keeping up with reporting can be another hardship for your team. Simplify the process with automation, analytics and activity monitoring.

Where does data protection start?

Begin your data protection strategy with the following 6 steps:


Mobilize the C-suite
Getting the right data protection strategy in place requires buy-in across your organization, and that buy-in begins with support and stewardship from the top of your organization.


Gather your executive teams
Establish strategic boards that are focused on data protection. This step shows commitment from your highest-level executives. For example, at IBM, on the SVP level, the Privacy Advisory Committee and the Ethics Board drive policy and build a sense of mission around data protection. “It allows us to validate our strategy and, also, is a very strong accelerant for decision-making and influence across the business,” Cox says.


Spark collaboration
Strategic boards should meet regularly to create and validate their data protection strategy. This process keeps data literacy initiatives at the core of data protection and business objectives. Christopher Giardina, an IBM data fabric architect focused on data governance and privacy, says one of the best models of collaboration is between central data offices, the CEO’s office and central privacy offices.


Empower service lines
Encourage leadership across your organization to become an extension of the data protection operating model. With the appropriate strategic boards, a centralized data protection policy, and the necessary educational services and technology, service lines and business units can work in sync to carry out data protection strategy goals.


Unify strategy
A mature data protection framework aligns the organization through culture change and brings together disparate divisions and units with a unified data strategy. If not only the CDO, but also the CPO and CIO can speak to the competitive advantages of data protection, you’ll be building a business case around how trust and transparency will increase revenue growth. “At an enterprise level, that means that you have to break down the traditional silos within an organization,” Cox says.


Automate governance
Providing data protection and privacy at scale requires organizations to set up a governance framework so data is both accessible and protected. A data fabric architecture provides the methods your organization needs to automate data governance and privacy and maintain resilience no matter what tomorrow brings.

Case study

A matter of trust

When people understand how technology works and feel that it’s safe and reliable, they’re far more inclined to trust it. Consider the workflow IBM developed that accurately predicted how patients would respond—positively or poorly—to an irritable bowel disease (IBD) drug 95% of the time. By combining IBD patient data and explainable AI techniques to investigate drug responses, the resulting set of algorithms showed it was possible to unlock the black box of IBD data, and understand, predict and explain how people suffering from IBD may respond to different drugs on the market, as well as those drugs in development.

It’s a continuous, iterative journey

A holistic approach to data protection isn’t a one-and-done deal. It’s a continuous, iterative journey that evolves with changing laws and regulations, business needs and customer expectations. Know that your ongoing efforts are worthwhile. You are setting your data strategy apart as a competitive differentiator that sits at the core of a data-driven organization. Ultimately, data protection is about fostering trust. By enabling an ethical, sustainable and adaptive data strategy that ensures compliance and security in an evolving data landscape, you are building your organization into a market leader.

Next steps

How do you get started?

Building the right data architecture is an iterative process, and it will adapt and grow over time with your business. We’re here to help.