AI is key to keeping IBM compliant with GDPR

The most significant change for IBM introduced by the EU’s General Data Protection Regulation (GDPR) was the emphasis on demonstrating accountability and compliance.

Although this did not mean much change, IBM still had to make sure it had the processes in place to ensure documentary evidence of its compliance, which required some transformation and change, says Cristina Cabella, the company’s data protection officer (DPO) and chief privacy officer (CPO).

IBM is among those organisations that need to comply with the GDPR as a data controller and processor as well as supplier and partner to other affected organisations.

“The GDPR includes all the principles of the former data protection regime for which we had an established programme, but there was a shift in focus to how organisations record processes, how they document compliance, and how they connect the dots,” Cabella tells Computer Weekly.

“As one of the world’s largest processors and controllers of data, IBM has executed one of the biggest GDPR readiness programmes – covering over 380,000 employees, dozens of distinct business units and operations in almost 200 countries. We have transformed our systems and processes and conducted training and education across the entire global organisation, and we are confident that we are ready.

“However, the biggest challenge for me, as the person responsible for GDPR compliance, was ensuring that I was connecting the dots and ensuring a single compliance framework that was consistently binding on everybody.”

Another positive change the GDPR is driving at IBM is an ever-closer working relationship between the firm’s security and privacy teams around data protection and cyber threats, which has resulted in an even more integrated incident response team because of the new data breach notification requirements.

With a limited time allowed for organisations to notify breaches once they have been discovered, Cabella says it is really important to understand the true nature and scope of any breach quickly, so organisations know exactly when it is necessary to notify and when it is not.

In terms of gathering evidence of GDPR compliance, Cabella says machine learning has been an extremely useful technology in automating and accelerating the sourcing of required information. 

“Through the use of machine learning capabilities, we are able to find and connect the information faster and ensure we are able to present evidence in a format required by regulators in a dynamic way, rather than just having static evidence,” she says.

IBM appointed Cabella as its DPO in line with the GDPR’s requirement to do so where core activities involve collecting or processing EU citizens’ personal data.

“In this role, I see my function as to advise teams what they need to do to comply with the GDPR, ensuring that they do comply, and being the contact between the company and data regulatory authorities who has to explain how we comply,” she says.

“We are able to find and connect the information faster and ensure we are able to present evidence in a format required by regulators in a dynamic way”

Cristina Cabella, IBM

Cabella is confident that she will be able to drive compliance with the policies set by her department because she has a global top-level leadership mandate.

“I also sit in on all the committees where the decisions are made about business policy and strategy, and I have a say over what risks are appropriate for the company or not, so there is an entire management system that supports the independence of my role,” she says.

“There is also the backing of IBM’s leadership team, which means I have the necessary power and resources to assert my independence in taking decisions.”

While Cabella’s focus has mainly been on education and training around compliance and audits and ensuring that everyone in the organisation is working in a compliant way, now that all the processes are up and running, she expects her focus to shift to establishing good relationships with data protection authorities, which will see her travel around the world a lot more from her base in Milan, Italy.

The UK’s Information Commissioner’s Office (ICO) will be the top of the list as IBM’s current lead authority in Europe, but she plans to establish a working relationship with data protections authorities in as many EU member states as possible because IBM has a presence throughout the region.

“Trust in technology and technology companies is important, so I want to invest in explaining what we do, how we do it and how our compliance programme has developed, so they can have a point of contact, not only when something occurs, but as part of an ongoing trust relationship,” she says.

Part of this process will be helping to further foster existing relationships between IBM’s network of privacy leaders around the world with local authorities as the company’s global DPO, supported by in-country data protection leaders.

DPO is the latest role Cabella has taken on in addition to being the company’s CPO, but these roles follow a number of senior legal positions in IBM, including European data privacy officer, senior counsel for competition and EU matters, and trust and compliance officer for Europe, the Middle East and Africa, among others.

Cabella sees the DPO role as complementary to the CPO role in which she is responsible for all other aspects of privacy and data policy that are not covered by the GDPR, and this is another reason why she plans to deepen her relationship with data protection authorities around the world.

“There is a lot of change in Latin America, particularly in Brazil, and Asia Pacific, where there are a number of new data protection laws,” she says. “So I have to ensure that we are up to speed and that I am engaged with local players everywhere that new laws are being introduced.”

For IBM, however, privacy is not about compliance, but about good business, which means putting principles into place to protect client data and ensure the responsible and transparent use of artificial intelligence.

“We believe technology companies need to act to restore society’s trust in technology,” she says. “We also see the GDPR as providing an opportunity for organisational transformation and differentiation.”

Another implication of the GDPR, she says, is that it is forcing organisations to think about their business models and become more efficient in the way they collect, store and use data by ensuring it is aligned to the business model. 

“You can’t just limit yourself to complying with specific requirements,” she says. “You really need to re-examine why you need the data and reorganise all your processes.”

This approach ensures that organisations are collecting only the data they need, which is not only more efficient from the organisation’s point of view, but also helps to build trust, says Cabella.

“Ultimately, this will drive cost savings by reducing the complexity of the data management challenge, and once again, artificial intelligence and machine learning technologies can help with this by helping to rationalise the data you need in terms of the purpose for which you want to use it,” she says.

If an organisation really understands what data it is collecting and for what purposes, that means it will have “cleaner data”, enabling it to take full advantage of technologies such as data analytics and machine learning, says Cabella.

“This is yet another business benefit, because research shows that data scientists spend around 60% of their time cleaning and organising data before they can use it because for decades, organisations have been collecting whatever they could without any consideration of how that data would be used,” she says. 

“If you want to be competitive in a future, innovative world, you need to start putting yourself in a position where you can use the technology of the future, but that means ensuring that you have full control of your data processes. AI should not be seen as a killer of privacy. It is about transparency and control.”