What successful GDPR strategies have in common
In October 2016, I attended IBM Insight at World of Watson 2016 in the US. Although it’s a worldwide event focused on applying cognitive capabilities in multiple domains such as analytics, commerce and security, not surprisingly customers were generally interested in the General Data Protection Regulation (GDPR) adopted earlier in 2016 and applicable in 2018. Not only did European customers participate in sessions and labs on this topic, but also a lot of American, African and Asian companies were very much interested in it.
My session at the end of the conference—almost the last one on Thursday—drew a decent-sized crowd. IBM has a variety of products and services that our clients may wish to consider as they devise their own strategy for GDPR readiness, but a major takeaway from these discussions is that GDPR cannot be solved only with software solutions.
Considerations for successfully implementing GDPR
Like many information governance strategies, GDPR is deeply dependent on companies putting in place the following attributes:
- Organization culture, awareness and communication
- Processes including consent management, security breach notifications and customer rights for rectification
- Legal counseling and data privacy boards
In addition, analysts are predicting the need for a new role—the chief privacy officer (CPO)—to help protect employee and customer data by implementing relevant policies. While these topics were discussed during the conference, two other major talking points on details came out regularly when discussing GDPR:
- What is to be considered personal data is very broad by definition
- The way fines will be calculated—note that the amounts mentioned by the regulations are very high
These considerations are important for any organization implementing GDPR because companies want to be well prepared. Additionally, when devising a strategy for GDPR readiness, one would have to look at solutions that spread across multiple areas:
- Analytics for traditional governance solutions, the management of unstructured data and for reporting
- Security for masking data, firewall systems and notification of breaches
- Systems for business process management (BPM)
This list is not aimed at being exhaustive, but it does provide a starting guideline on where to begin for any organization.
In addition to IBM, a growing number of IBM Business Partners worldwide—would they be from the big four or smaller systems integrators?—are working on methodologies and assessment projects to help companies understand their exposure to this new regulation. After talking to various clients and partners, I came away with the following takeaways:
- Cloud strategies are expected to also be deeply impacted by GDPR, and companies are looking forward to counseling and advice on the best ways to tackle these new rules to minimize impact on their projects.
- Cognitive solutions could be a potential accelerator in the way companies understand the impact of regulations and an accelerator in projects to register and classify the data. A major investment in the cognitive engine is to get it to understand the regulation and its implication as a prerequisite.
- Solid content management and governance foundation would be essential to manage content wherever it resides, in the cloud or on premises. Organizations can turn to look at regulations not as a penalty, but as a way of becoming more disciplined on managing content just as they manage any other valued asset.
I think that for organizations to understand and adapt to these new regulations will take some time, but many of them have already started devising their strategies. Like the axiom, “well begun is half done,” I am confident of the success of these strategies. Learn how IBM can help you implement a successful GDPR strategy.