SPONSORED: IBM's five pillars of GDPR compliance

IBM's GDPR lead Steve Norledge talks partners through the key requirements of GDPR

With GDPR now fully enforced, the time for conjecture has passed.

What started as speculation when the legislation was first announced in April 2016 now has to be turned into hard, tangible business practices if organisations across Europe be compliant now that the regulation is operational.

Co-operation with the channel is paramount if businesses are to win stay compliant, according to Steve Norledge, IBM's UK and Ireland head of GDPR.

"We recognise the criticality of our channel in helping our clients address their GDPR challenges," he said. "We really want our partners to recognise that they need to bring their deep expertise in data management, data governance and security to market. It's about making sure that this expertise is refined and addressing specific GDPR challenges.

"Part of the strategy of making that work is to help them be specific about the value proposition they bring, and then help them collaborate with other partners to deliver a broader and more rounded GDPR proposition.

"There is a risk that a partner, by having a refined value position, may feel they are missing out on opportunities versus someone who is making a broader claim. Our clients' sixth sense has been turned up to the maximum with GDPR, so you get attention by being very specific and showing how you deliver an outcome."

To help the channel cope now that GDPR is in force, IBM has picked out the five pillars required to protect organisations - data, security, governance, cloud and processes - and explained how channel partners can best prepare their customers.

  1. Establish why you hold personal data

GDPR is, in essence, all about data. Norledge said channel partners need to push their clients to rediscover, on a fundamental level, why they hold the data they do, and if they need to keep it.

"We need to think about the understanding of personal data," he explained. "Many organisations don't have complete clarity about what data they are processing, why they're processing it, and where it is. If that is the case, managing it in accordance with GDPR will be a challenge."

Norledge added that in this instance, technology could work with their customers to organise the data they hold.

"Understanding personal data is key," he explained. "IBM and our partners can help our customers document the data that is being processed and understand the legal basis for processing it.

"We can help the client come to the right decision regarding how they're going to manage it, and all that is underpinned by technology from IBM that can help create a living record of processing activities."

  1. Put security in place

If data is at the centre of GDPR, the processes in place to protect it are equally, if not more, important.

Security becomes essential when the repercussions of a data breach are considered. Organisations face fines of €20m or four per cent of annual turnover if they are found to have breached certain security regulations.

Companies are also required to notify regulators of a breach within three days of discovering it - a demand that IBM said an alarming number of firms are in danger of failing.

Research conducted by IBM and the Ponemon Institute found that in 2017 organisations took on average 191 days to detect a breach.

Norledge said the best starting point for approaching security ahead of GDPR is for partners to help their customers spot the gaps in their security infrastructure.

"Security underpins so much of GDPR," he explained.

"Organisations are encouraged to put in the appropriate technical and operational security controls to protect personal data, so the first way that IBM and our partners are helping clients in this sense is by helping them understand which security controls are appropriate for their business.

"It's the process of helping people evaluate their operation against control points and frameworks, which is a great starting place for organisations to think about where they have gaps in their security provision.

"Depending on where those gaps are, there are technologies available from IBM, which our partners can implement to close them."

  1. Governance

However, protecting data is not enough to make an organisation GDPR compliant.

Norledge explained that the key difference between GDPR and the Data Protection Act is that current legislation requires businesses to be reactive, but a far more proactive approach is necessary with GDPR.

"Currently if the ICO or the governing body were to come and look at you, you would have to show evidence of anything they want to analyse; it's reactive," he explained.

"With GDPR there is an obligation for organisations to continually assert their accountability for conformance."

Norledge said this means that boards have to "demonstrably review their data protection provision", and strengthen the role of their data protection officer.

He explained that IBM and its partners are helping customers put frameworks in place to address these demands, via a set of tools.

"We help organisations put in place this governance framework around these pillars - particularly data and security," he said.

"We have capabilities for unified governance which help people document and manage the personal data they hold. Our channel partners with heritage in data management have the opportunity to work with clients in doing this."

  1. Use the power of the cloud

Issues around data security and governance are further complicated by the shift in where data is stored.

The rapid adoption of public cloud throws up all kinds of questions around data sovereignty and residence - particularly with the vast majority of organisations expected to opt for a multi-cloud approach.

To help make its public cloud GDPR compliant, IBM founded the Cloud Code of Conduct with the EU and a handful of other cloud providers.

"There has been a big focus on making our cloud GDPR ready," Norledge explained. "Many of the capabilities we use to help clients meet these requirements we deliver from the cloud itself and that is a great way of enabling our partners to deliver value flexibly and quickly, with the assurance it's underpinned by the cloud code of conduct.

"The IBM cloud plays a pivotal role. Firstly the cloud itself and its capabilities enable it to be ready for GDPR and then enable our clients to use it, safe in the knowledge that it supports the GDPR requirements.

"This is something that IBM has always been underpinned by: the culture of ethics that is part of IBM's heritage.

"Over the past few years we've been not only putting in place the appropriate security controls to enable businesses to place their information in our cloud, we've also focused on working to create the cloud code of conduct."

  1. Redefine data processes

A customer's data itself has to be protected, but so too do the processes that are put in place to manage and use this data.

An organisation doesn't just have to acquire explicit consent from a customer to hold their data, but also for the processes that it plans to put the data through.

"It starts with the piece around personal data here, so it's thinking about our clients' business processes that use this data," Norledge explained.

"Particularly where you have organisations that engage digitally with consumers and citizens, clearly organisations have to think about these processes and whether they adhere to the underpinnings of GDPR. For example, if you have automated decision processes, have people explicitly agreed to them?

While this could be viewed as a chore, Norledge said it presents an opportunity for partners to help organisations build digital environments.

"Those partners have an opportunity to help clients think this through; and they can be creative about it," he said.

"It's about building elegant, intuitive engagement methods with the client's customers, and this is vital because consumers are becoming much more aware of the privacy of their data. It's following the path that we have seen with cybersecurity awareness. Five years ago the average person on the street had no real awareness of this, but after seeing so many breaches in the news, they now care."