What is the General Data Protection Regulation (GDPR)?

GDPR is designed to unify data privacy requirements across the European Union (EU). If you market to or process the information of EU Data Subjects – which include end users, customers and employees – you need to conform to GDPR to continue conducting business. Learn how to address these key requirements with IBM Security solutions.

Where are you on your GDPR journey?

Starting at the beginning

IBM Security Guardium® Analyzer helps you to efficiently identify the risk associated with personal data that falls under GDPR. It applies next-generation data classification as well as vulnerability scanning to uncover risks associated with such data in cloud-based and on-premises databases.

Somewhere in the middle

IBM Data Privacy Consulting Services can help determine the next steps your organization takes to reduce privacy risks. The GDPR readiness assessment from IBM offers a structured approach to developing a maturity assessment, gap analysis and roadmap for moving forward.

Operationalizing your program

The Resilient Incident Response Platform can help you fulfill GDPR obligations and streamline your incident response and breach notification time. GDPR-specific components have been incorporated into the platform, including the GDPR preparatory guide, GDPR simulator, and GDPR-enhanced privacy module.

IBM Security GDPR framework

Five phases to readiness

The IBM Security GDPR framework provides a holistic approach to helping your organization prepare for and meet GDPR requirements — from assessment to conformance.

Privacy requirements

Assess your current data privacy stature under all of the GDPR provisions. Discover where protected information is located in your enterprise.

Prepare:

  • Conduct GDPR assessments, assess and document GDPR-related policies
  • Assess data subject rights to consent, access, correct, delete, and transfer personal data

Discover:

  • Discover and classify personal data assets and affected systems
  • Identify access risks, supporting privacy by design

Featured solutions

Security requirements

Assess the current state of your security practices, and identify gaps and design security controls. Find and prioritize security vulnerabilities, as well as any personal data assets and affected systems to design appropriate controls.

Prepare:

  • Assess security current state, identify gaps, benchmark maturity, establish conformance roadmaps
  • Identify vulnerabilities, supporting security by design

Discover:

  • Discover and classify personal data assets and affected systems to design security controls

 

Featured solutions

Privacy requirements

Develop a GDPR roadmap and implementation plan. Use the findings in the assess phase to develop next-step activities and help reduce risk in the enterprise.

Roadmap:

  • Create GDPR remediation and implementation plan

Privacy by design:

  • Design policies, business processes and supporting technologies
  • Create GDPR reference architecture
  • Evaluate controller or processor governance

 

Featured solutions

Security requirements

Design security remediation and implementation plan priorities by identifying personal data asset risks. Include a security reference architecture and technical/organizational measures (TOMs) for data protection, starting with security by design and by default.

Roadmap:

  • Create security remediation and implementation plan

Security by design:

  • Create security reference architecture
  • Design TOMs appropriate to risk (such as encryption, pseudonimization, access control, monitoring)

 

Featured solutions

Privacy requirements

Implement and execute the controls in your GDPR strategy, including policies, programs and technologies. Transform the enterprise to be GDPR-ready.

Transform processes:

  • Implement and execute policies, processes and technologies
  • Automate data subject access requests

 

Featured solutions

Security requirements

Implement privacy enhancing controls such as encryption, tokenization and dynamic masking. Implement required security controls such as access control, activity monitoring and alerting. Mitigate discovered access risks and security vulnerabilities.

Protect:

  • Implement privacy-enhancing controls (for example, encryption, tokenization, dynamic masking)
  • Implement security controls; mitigate access risks and security vulnerabilities

 

Featured solutions

Privacy requirements

Manage your GDPR governance practices through the use of GDPR-specific metrics. Understand how the enterprise is mitigating risks. Begin executive level and board reporting.

Manage GDPR program:

  • Manage GDPR data governance practices such as information lifecycle governance
  • Manage GDPR enterprise conformance programs such as data use, consent activities, data subject requests

Run services:

  • Monitor personal data access
  • Govern roles and identities
  • Develop GDPR metrics and reporting schemas

 

Featured solutions

Security requirements

Manage and implement security program practices on premises and in the cloud, such as risk assessment and mitigation, incident identification, escalation, response, forensics and resolution, personnel roles and responsibilities. Measure, document, and communicate program effectiveness to stakeholders. Monitor security operations and intelligence: monitor, detect, respond to and mitigate threats.

Manage security program:

  • Manage and implement security program practices such as risk assessment, roles and responsibilities, program effectiveness

Run services:

  • Monitor security operations and intelligence: monitor, detect, respond to and mitigate threats
  • Govern data incident response and forensics practices

 

Feature solutions

Privacy requirements

Enhance and refine your GDPR practices, identifying areas of concern and address as necessary. Effectively manage your controller/processor relationships and understand if associated technical and organizational measures (TOMs) are being followed.

Demonstrate:

  • Record personal data access audit trail including data subject rights to access, modify, delete, transfer data
  • Run data processor or controller governance including providing processor guidance, track data processing activities, provide audit trail, preparing for data subject access requests
  • Document and manage compliance program: ongoing monitoring, assessment, evaluation and reporting of GDPR activities

Respond:

  • Respond to and manage breaches

 

Featured solutions

Security requirements

Demonstrate that you have implemented technical and organizational measures to ensure security controls are in place appropriate to processing risk. This includes producing audit reports and documenting metrics to measure progress. Document the security program itself including policies for ongoing monitoring, assessment, evaluation and reporting of security controls and activities. Respond to and manage incidents and breaches, reporting to regulators within the required 72-hour window.

Demonstrate:

  • Demonstrate technical and organizational measures to ensure security appropriate to processing risk
  • Document security program: ongoing monitoring, assessment, evaluation and reporting of security controls and activities

Respond:

  • Respond to and manage breaches

 

Featured solutions

Discover more GDPR resources

Transform your business with GDPR

Explore GDPR insights from IBM Security leaders

See how GDPR goes beyond privacy and security

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.  The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.