The upcoming General Data Protection Regulation (GDPR) that will be applicable to all data of EU citizens starting May 2018 enforces new data privacy obligations on the management and the retention of personally identifiable information (PII) including data collection, retention, protection, modification and deletion processes. Learn what are the impacts on your business and how to prepare with IBM solutions

1. GDPR
General Data Protection Regulation
Olivier Barrot
IBM Client Technical Advisor
olivier.barrot@fr.ibm.com
@olivierbarrot
olivier barrot

2. © 2017 IBM Corporation
• Most significant change in data privacy law
in the past 20 years
• Replaces the 1995 EU Data Directive
• Inspired by Charter of Fundamental Rights
of the European Union - Articles 7 (respect for
private and family life) and 8 (protection of
personal data)
• Aim is to have a harmonized, unified data
protection law framework for all EU countries
• No longer a Directive but a Regulation
• Not a one-time effort but a multi-year journey
with regular assessment checks
GDPR: Introduction
Published June 2016
Applicable May 2018
24monthstoprepare
We are here
Non-compliance?

3. © 2017 IBM Corporation
In the Digital Single
Market
Facilitate Free
Flow of Data
With Emerging
Technologies
Modernize
the Law
Data Protection Rights of
EU Data Subjects
Reinforce
& Enhance
GDPR: What you need to know
Extra-territorial, applies to
organisations outside the EU
processing EU data subjects’
personal data with obligations
not just on Controllers but now
also on Processors
Requires the appointment of
mandatory Data Protection
Officers
Defines what constitutes personal,
directly or indirectly identifiable
data, such as online identifiers, IP
addresses and location data
Will fundamentally change the way
organisations must protect, govern
and manage their structured and
unstructured data

4. © 2017 IBM Corporation
GDPR issues: What we have seen so far
Data retention, storage
and security
Designation of main
establishment
Vendor management
and outsourcing
Processing of personal
data in the employment
context and potential
member state variations
IT system capabilities,
integrity and
functionality,
particularly to enable
data subject rights
Costs to business of
free subject access
requests
Development of digital
products and services
Processing of data
relating to criminal
offences or convictions
Uncertainty around
data transfer
mechanisms
Engagement with
industry associations
and advocacy
Data protection by
design and default
Responding to
breaches within time
limits
Designation and tasks
of the Data Protection
Officer
Consent and other
lawful grounds for
processing
Data transfers to third
country authorities
(“anti-FISA clause”)

5. © 2017 IBM Corporation
Evolution of
Compliance
GDPR Policy
Procedures and
Organisation
Training and
Communication
DPO
Board of Directors
GDPR
Compliance
Business
IT
Department
CMO
DHR CIO
SR
GDPR: Who is concerned?
Program Stakeholders
Communication
Collaboration
Coordination
LEGAL
CRO
Data Management and
BigData architecture
teams
CIL
CDO

6. © 2017 IBM Corporation
• Customer’s consent is required when transferring personal data to another country.
• Access to personal data from another country is considered a transfer of personal data
• An EU Model Clause Agreement is generally needed when the transfer is to a non
EU/EEA-country (i.e. a third country)
• Transfer of personal data to the US NOT allowed under a Safe Harbor certification ANY
LONGER
GDPR: Hosting & Cloud impacts

7. © 2017 IBM Corporation
Supporting software and assets
Sensitive & Personal Data discovery
Data LifeCycle Governance and Protection
consent, encryption, masking, deletion, etc.
General Data Protection
Regulation
Where are the major risks
What actions to be taken
Where to start
Operational Methodology to compliance
Flash audit to do the GDPR diagnostic
Build the roadmap to compliance
Privacy Impact Assessment (PIA)
IT systems transformation
Regulation
2018
GDPR: Why IBM?
An end-to-end value proposition: consulting, technology assets and industrialization

8. © 2017 IBM Corporation
Major regulatory compliance areas and actions to be prioritized
Need to demonstrate compliance
with the principles relating to the
personal data processing that
pervades the GDPR
Actions: Consider how compliance is
proven, including data protection
privacy impact assessments, codes of
conduct, governance and certification
Processing is only lawful if there is
one of the following: consent,
necessity, legal obligation,
protection, public interest, official
authority or legitimate interest
Actions: Keep data subjects informed;
manage requests in a transparent,
efficient and effective manner; consider
appointing a DPO
Data controllers and processors must
implement technical and organisational
measures that demonstrate compliance
with the GDPR core principles
Actions: Permeate system development,
maintenance and hosting practices with
privacy principles; demonstrate adherence
and data lineage
Provide for enhanced rights for data
subjects in the EU including erasure,
access and portability
Actions: Keep record of structured and
unstructured personal data; enable
execution of citizen rights amongst which to
understand, access, amend, object, and
export personal data
Need to ensure a level of security appropriate to the risk, including 72H high risk breach reporting
Action: Implement and demonstrate adequate internal and external IT- and physical defences and restrictions to reduce
data privacy and security risks, including data minimisation, pseudonymisation [GDPR term] and encryption techniques
Design and
Default
Rights of
EU Data
Subjects
Security of
Personal
Data
Lawfulness
and
Consent
Accountabili
ty of
Compliance
GDPR: IBM’s vision
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data

9. © 2017 IBM Corporation
IBM’s five layer model for GDPR
GDPR: IBM’s vision
IBM has clustered GDPR activities across five
layers, thereby covering the whole spectrum of
GDPR:
• GDPR governance, covering amongst others
legal assessment, third party management and
risk and compliance
• People and Communications, covering
employee awareness and training, and internal
and external communication
• Processes, covering the GDPR readiness of
HR, CRM and other business processes
• Data, covering personal data life cycle
management and citizen interaction
• Security, covering breach prevention and
management and other digital security measures
BusinessIT

10. © 2017 IBM Corporation
Business Capability Reference Architecture
Governance
People &
Communications
Data
Security
Processes
Roles &
Responsibility
Management
Training &
Certification
Communication
Management
Monitor
Communication
s
Individual PD
Records
Maintenance
“Privacy by
Design”
Development
Rules Execution
Workflow
Management
Catalogue Lifecycle
Management
Archiving
(Minimisation)
Data Disposal
(Minimisation)
Data Lifecycle
Monitoring
(Minimisation)
Policies &
Measures
Management
Regulations &
Requirements
Management
DP Governance
Third Parties
Management
Reqs & Controls
Monitoring
Compliance
Demonstration
DP Strategy &
Risks
Assessment
Access Control
Breach
Prevention &
Management
Security
Monitoring
Vulnerabilities
Assessment&
Mitigation
Citizen Interaction Center
Forensics
Automated
Decision making
Information
PD Rights
execution
Information &
Notice Delivery
Complaints
Registration
Citizen
Identification
Data Management
PD Taxonomy
Consent
Management
Breach
Notification
PD Purpose
Register
Metadata
Identification
Metadata
Classification
Data Lineage
Individual PD
Identification
Individual PD
Classification
Data
Desensitizing
(Minimisation)
Data
Management
Assurance
Data Quality
Data Dictionary
Data Processing
Monitoring
Rules Definition
Notice
Management
PD Record
Processing
Data Source
Discovery
Data Masking
(Minimisation)
Business
focus
IT focus
Security
focus
GDPR: IBM’s vision

11. © 2017 IBM Corporation
Data
Catalogue Lifecycle
Management
Citizen Interaction CenterData Management
IBM software components and services mapping
Governance
People &
Communications
Security
Processes
Roles &
Responsibility
Management
Training &
Certification
Communication
Management
Monitor
Communication
s
Individual PD
Records
Maintenance
“Privacy by
Design”
Development
Rules Execution
Workflow
Management
Archiving
(Minimisation)
Data Disposal
(Minimisation)
Data Lifecycle
Monitoring
(Minimisation)
Policies &
Measures
Management
DP Governance
Third Parties
Management
Reqs & Controls
Monitoring
Compliance
Demonstration
Access Control
Breach
Prevention &
Management
Security
Monitoring
Forensics
Automated
Decision making
Information
PD Rights
execution
Consent
Management
Breach
Notification
PD Taxonomy
PD Purpose
Register
Metadata
Identification
Metadata
Classification
Data Lineage
Individual PD
Identification
Individual PD
Classification
Data
Desensitizing
(Minimisation)
Data Quality
Data Dictionary
Data Processing
Monitoring
Rules Definition
Notice
Management
PD Record
Processing
Data Source
Discovery
Data Masking
(Minimisation)
IBM Software components Expertise / Consulting
Optim
IER
Research
Asset
Resilient
Change Mgt / Process reengineering / Training
Consulting
Vulnerabilities
Assessment&
Mitigation
Data
Management
Assurance
Consulting
Consultin
g
DP Strategy &
Risks
Assessment
Regulations &
Requirements
Management
Consulting
Information
Analyzer
Guardium
DE
Case
Manager
Information &
Notice Delivery
Complaints
Registration
Citizen
Identification
Devt
Expertise
Case
Manager
Consulting
Information Analyzer
StoredIQ
Guardium DP
Information
Governance
Catalog
Program Mgt
+ Consulting Open PagesRC Analytics
Optim
Guardium DP
Identity Gov.
Intel.
Sec. Access Mgr
QRadarGuardium
VA+DP
QRadar
i2
GDPR Operational implementation

12. © 2017 IBM Corporation
IBM Case Manager
GDPR: IBM SW Solutions Framework
IBM Technology overview
Dynamic Policy
Management:
Define what, why,
how long
Data
Infrastructure:
Control use,
align cost to
value
Implementation
Services:
Distribute policies
to data sources
Data Management
Email
Servers
User
Devices
& File
SharesECM &
Collaboration
Archive
Platform
Master
Data
Cloud &
Social
Databases &
Data Warehouse
Hadoop
Platform
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data
P o l i c i e s R u l e s A u d i t
P r o c e s s e s An a l y s e s
Security&ComplianceMonitoring
InfoSphereIBM Atlas
Optim

13. © 2017 IBM Corporation
Business Processes
Accountability
Data Security and Protection
Privacy by Design / Privacy by Default
IT Operational Security
Rights of Restitution / Transfer / Rectification
Archival / Deletion / Quarantine
Files encryption
Anonymization / Data Masking
Operational Data Protection
Users and administrators Activity monitoring
Policies, Rules and Definitions
GDPR Trajectory
Consent
Explicit Consent Management / RTBF
Incidents Management / Data breach
Applications
StoredIQ
QRadar
Atlas
Guardium VA
Optim DP
Guardium DP
Guardium DE
StoredIQ Optim
StoredIQ Legal
Case Manager
QRadar
Guardium DP
Resilient
Identity Gov.
& Intelligence
Atlas
Appscan
Personal Data inventory
Unstructured data Exploration
GDPR
Assessment
(Gap Analysis)
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data
Minimization of personal data used and stored by applications
Infrastructure and Devices
Guardium VA
Bigfix / MaaS360
Structured data ExplorationGuardium DP
Info Analyzer
GDPR Operational implementation
Major IT workstreams and IBM solutions
Data Repositories
Review of Design principles

14. © 2017 IBM Corporation
Sensitive
data
Governance Layer
• Metadata & Policy Mgmt
• Compliance Mgmt
Data Management Layer
• Info Lifecycle Mgmt
Compliance & Security Layer
• Security & Privacy
• Info Gov Utility Services
• Subject Rights Mgmt
Users
Activity
Identity & Access
Mgmt
Incidents
correlation &
identification
CISO, DPO, CPO
Group Compliance
Legal
Security Incidents
Mgmt &
Reporting
DBA
DB & File Activity
Monitoring
Data & Policy
Governance
Retention &
Disposal
Data
Discovery &
Classification
Masking &
Encryption
Vunerabilities
Databases, Apps,
Infrastructure
Dynamic
blocking
GDPR in practice
Data Governance & Security tooling contribution to Compliance by capability

15. © 2017 IBM Corporation
Compliance & Security Layer
• Security & Privacy
• Info Gov Utility Services
• Subject Rights Mgmt
Data Management Layer
• Info Lifecycle Mgmt
Governance Layer
• Metadata & Policy Mgmt
• Compliance Mgmt
Sensitive
data
CISO, DPO, CPO
Group Compliance
Legal
Users
Activity
Vunerabilities
Databases, Apps,
Infrastructure
Dynamic
blocking
Data & Policy
Governance
Masking &
Encryption
Retention &
Disposal
DB & File Activity
Monitoring
Data
Discovery &
Classification
Identity & Access
Mgmt
Incidents
correlation &
identification
Security Incidents
Mgmt &
Reporting
Information
Governance
Catalog
Atlas
DBA
AppScan
BigFix/
MaaS360
Identity
Governance
Intelligence
Information
Analyzer
GDPR in practice
Data Governance & Security tooling contribution to Compliance by capability

16. © 2017 IBM Corporation
IBM help clients to define their roadmap for compliance
and support support the implementation program until 2018 and beyond…
16
GDPR Timeline
2H 2016 2017 1H 2018
Legal review
Identify gaps
Impact analysis
Many firms are currently
working through the legal
interpretation. IBM can support
the gap- and impact analysis.
IBM can speed up your deployment programme at a reduced
cost by bringing GDPR solutions, tools and accelerators
across the full spectrum of your needs.
IBM can provide the capabilities to
deliver and demonstrate your
GDPR compliance.
Governance
People & Communications
Process
Data
Security
Test & Assure
Demonstrate compliance
(ongoing)
Deploy to production
Now
Diagnose Define, Design and build Deliver and Demonstrate
May
2018
GDPR: IBM’s Proposal

17. © 2017 IBM Corporation
Characteristics of the implementation approach
Understand your dataPrioritize Optimize as you go
Define the data privacy relevant data as
part of the implementation
Key questions to be answered are:-
• What data do we have?
• Where does it reside?
• Do we need to data for service delivery or do
we need consent?
• How do we use the date?
• Did we already obtain consent to use the
data?
• What data retention and access rules apply?
Apply Data Governance principles by defining
data owners and governance processes, BUT
only for DP relevant data
Align to MDM for client implementations where
possible
Implement controls in order of
GDPR risk assessment
Create inventory on the revelant data sets in
the organization and prioritize
Implement following the priorities high =>
medium => low
Use an agile approach to allow for changes in
prioritizations
Focus on compliance risk not on
completeness or perfection
Develop a solid foundation for optimization
after May 2018
Add technical capabilities (e.g. new connector
types and processing power) in the
architecture as you go
Build your maintenance organization while
implementing; transfer knowledge and skills
from IBM to the AXA organization
Re-use components to the max
GDPR: IBM’s Proposal

18. © 2017 IBM Corporation
References and Contacts
• GDPR Regulation
– https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
– https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation
– http://ec.europa.eu/justice/data-protection/reform/index_en.htm
• IBM France GDPR Proof Of Technology
– http://www-05.ibm.com/fr/events/tec/new/MCHR-AHKCEJ.html
• IBM Technical Expert Council France
– @ibmtecf
– https://www.linkedin.com/groups/8457887