IBM’s Global Chief Data Office selected IBM Data Risk Manager to provide a visual control center for executives and their teams. With its business-consumable dashboard, Data Risk Manager helps privacy and data officers across IBM uncover, analyze and visualize business risks around sensitive data so they can take corrective action.
Companies that control personal data of EU data subjects are required to understand the types of data, where it is, who owns it and the associated level of risk as part of addressing GDPR readiness.
As a key element of IBM’s GDPR reference architecture and common services, IBM Data Risk Manager helps uncover, analyze and visualize data-related business and compliance risks in a business context.
data risks across thousands of applications and terabytes of data
critical information for responding to audits and reporting to executives
fines that can result from non-compliance with GDPR and other regulations
As a global company operating in more than 170 countries, IBM has longhad to address compliance with data privacy laws and regulations around the world. When the EU General Data Protection Regulation (GDPR) was adopted in April 2016, IBM saw an opportunity to refresh its privacy practices and enhance its products and services while preparing for the enforcement deadline of 25 May 2018. This wasaccomplishedby embracing GDPR globally, as a global transformation program of change across IBM, to benefit all clients.
That global program included, among numerous work streams, addressing the GDPR requirement to understand the type of personal data IBM controls, where it is, how it is used and who owns it. “The job involved examining more than 6,500 applications across the company, about 3,400 of which are critical from a GDPR perspective,” says Neera Mathur, Senior Technical Staff Member in the Global Chief Data Office.
The results of this effort were collected in a central data privacy catalog, as a key first step in the journey to readiness. But a question remained: how to identify and evaluate the risks associated with the GDPR-relevant data under IBM’s control, and how to share that information with business leaders.
IBM’s Global Chief Data Office, charged with developing a reference architecture and a set of common services for supporting business units in making their data stores ready for GDPR, selected IBM Information Governance Catalog for the central store of privacy data—the privacy catalog—and IBM Data Risk Manager to provide a visual data risk control center for executives and their teams—the risk regulatory dashboard.
By providing a business-consumable dashboard, Data Risk Manager helps privacy officers and data officers at all levels across IBM uncover, analyze and visualize data-related business risks so they can take corrective action. During the months leading up to the GDPR enforcement date, for example, Data Risk Manager could provide insights into instances when personal data could be moved to a system that had better controls for protecting it, when it should be encrypted, or when it could be deleted all together. Visualizations include maps of data residency as well as graphics focused on risk and vulnerabilities.
Now, working from the data store- and application-level information housed in the privacy catalog, Data Risk Manager can provide answers to the basic questions a regulator would ask: What personal data do you have? What is it used for? What applications, business processes and people have access to it? Who is the owner of this particular data store, and where is it located? And as changes are made to the privacy catalog, the updated information is reflected in the dashboard, supporting the ongoing requirement to address compliance with multiple data privacy regulations, including GDPR.
Data Risk Manager can perform at the global level across the company, by business unit or by application, allowing users to see only data that is relevant to their role. IBM’s Chief Privacy Officer and Data Privacy Officercan see the status of sensitive personal data IBM-wide, for example, while a business unit-level data privacy officer can only see data relevant to their operation or location.
“IBM is very diverse with many business units and thousands of applications that process personal data. Data Risk Manager, along with Information Governance Catalog, helped us visualize and manage trusted data in a very short time,” says IBM Chief Data Officer Inderpal Bhandari.
As a key component of IBM’s GDPR common services reference architecture, Data Risk Manager helps privacy officers across the company report on data risks and compliance posture for GDPR as well as other data privacy regulations and respond to requests for information from auditors or individuals within the company.
And by visualizing risks so they can be readily identified, easily understood by business executives and addressed appropriately, Data Risk Manager can help IBM avoid fines levied for non-compliance with data privacy regulations, including GDPR.
IBM is a recognized leader in data protection and complies with data privacy laws around the world. As part of IBM’s ongoing commitment to privacy by design, IBM has embedded data protection principles even more deeply into its business processes, products, and services so that our clients can better meet their own data protection objectives. In addition to enhanced security, IBM offers innovative data privacy and governance solutions that can assist clients and partners with GDPR compliance. Learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.
Legal
© Copyright IBM Corporation 2018. IBM Security, 75 Binney Street, Cambridge MA 02142
Produced in the United States of America. August 2018
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/trademark.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. Not all offerings are available in every country in which IBM operates.
The client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions.
It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.