Gearing up for the General Data Protection Regulation

Information Lifecycle Governance and eDiscovery Legal Consultant, IBM

After a long wait, the General Data Protection Regulation (GDPR) was published on 4 May 2016, and will be immediately applicable on 25 May 2018—after a two-year transition period. The GDPR is applicable to any organization that operates in the European Union (EU) market and processes the personal data of EU data subjects. Much of the existing data protection law in the EU is based on the outdated 1995 Data Protection Directive, which is implemented by local laws. These local laws will continue to apply until the GDPR becomes applicable. GDPR expands the scope of regulation further to capture extraterritorial organizations, which is of particular concern to global undertakings. The GDPR also introduces cross-industry, 72-hour breach reporting to regulators and without-undue-delay reporting to individuals with the associated risk of severe reputational harm. 

Many organizations are concerned about where to look first; trying to boil the ocean is not a good place to start. When they are taking their initial steps, our clients often find great benefit and fast, positive results if they opt to conduct a gap or other risk assessment. These results can be achieved particularly when the assessment is carried out alongside a data discovery exercise against both their structured and unstructured data environments. 

With non-compliance having the potential to lead to huge fines of up to €20 million or 4 percent of total annual worldwide turnover, organizations need a trusted partner to help them act. IBM is therefore actively engaged with clients on a cross-industry basis to help them plan for and address their requirements under the GDPR and build on the foundations they already have to ensure they adopt a “protect, govern and know your data” approach. 

IBM has recognized that the GDPR has broad requirements and needs a broad set of capabilities, including not only people, process and policy but also technology. We are therefore well prepared to assist clients with this evolution of data protection law, and are extensively equipped with both technology offerings built around a GDPR-specific architectural solution framework, and also with deep consulting capabilities. Learn more about the services and solutions IBM has in the GDPR space.