pe3check - stock.adobe.com
As part of its readiness programme for the EU’s General Data Protection Regulation (GDPR), IBM invested in machine learning technology to automate and accelerate the sourcing of compliance information, and that investment has paid off, according to Cristina Cabella, the company’s data protection officer (DPO) and chief privacy officer (CPO).
“Automating systems is key to ensuring an organisation is able to collect and correlate all the relevant information to be able to respond quickly and with more reliability,” she told Computer Weekly, adding that a number of tools that IBM developed in this regard have already been made available commercially for helping organisations with GDPR requirements and dealing with the huge uptick in data subject access requests.
“For example, IBM and Thomson Reuters recently launched a joint solution that uses AI [artificial intelligence] to analyse data from thousands of content sources enabling risk and compliance professionals to keep pace with complex and rapidly changing regulations,” said Cabella.
IBM’s investment in automation was a key element of the company’s GDPR readiness programme, which covered around 380,000 employees and dozens of distinct business units and operations in almost 200 countries, and included transformation work on systems and processes as well as training and education across the organisation.
“Unless organisations have done some automation, they will not be able to cope with the sheer volume of GDPR-related queries,” she said. “But automation alone will not solve the problem. It has to be done alongside work to clean data and implement uniform data taxonomy to ensure the efficiency of systems. At IBM, we say there is no AI before IA – Information architecture.”
Although smaller businesses may be able to comply without automation tools, Cabella said the help of such tools was absolutely key for medium-sized and large enterprises, especially where data is at the core of the company’s business model. “These companies need to prepare themselves, otherwise they risk failing compliance or losing competitive advantage by not being able to use their data effectively,” she said.
Good data protection and privacy is good business
Cabella agreed with the view that good data protection and privacy practices is good business because it enables organisations to get more value out of their data without infringing data subjects’ privacy rights, but this typically requires a shift in corporate culture.
Cristina Cabella, IBM
“It is likely that many organisations will not yet have been able to make that shift in the year since the implementation of the GDPR because the focus has mainly been on compliance and avoiding the potential penalties. Not many companies have been focused on the business opportunities created by the GDPR, but I expect to see more of that in the coming year,” she said.
In light of the fact that many companies’ business models are based on data, Cabella said they should be shaping their data protection and security strategies around those business models and what they want to do with the data they collect.
“Based on that, they need to prompt changes to their privacy notices, terms and conditions of business and all the systems that support these policies,” she said.
“If, however, they just fix individual pieces, they will continually need to apply fixes, but will never solve the big problem by having a more effective and competitive market proposition through greater simplicity and transparency, which will be more attractive to consumers and potentially drive greater business success.
“At IBM, we achieve this by having in place core and long-standing principles that guide our handling of client data and insights, and the responsible development of new technologies. We encourage others to do the same,” said Cabella.
Preparation and collaboration cement skills
GDPR preparation also drove IBM’s commitment to a single compliance framework that was consistently binding on everybody, and greater collaboration between the firm’s security and privacy teams around data protection and cyber threats to enable a highly integrated incident response capability.
This too has proven to be the “right vision” through delivering value, said Cabella, especially in the light of the fact that since the GDPR, several other countries and US states have begun introducing data protection legislation, many of which include a particular focus on cyber security.
Although some of these differ from the GDPR, Cabella said all the work IBM has done in preparation for GDPR has provided a good foundation for adapting to any additional requirements. “In addition, the security elements have led us to intensify even further our drive to combine the efforts of IBM’s security and privacy groups.
“Privacy teams are now even more integrated with security teams because we believe neither should act without input from the other, and so we are continually increasing the level of collaboration, which is helping to broaden the skills of people working on both sides.”
These successes, said Cabella, underline the value of good preparation a year down the line. “All those companies that have worked hard to transform themselves can say that it was worth doing and is delivering returns in terms of being able to build better, more trusted relationships with customers. Trust is one of the most powerful brand attributes.”
Data privacy requires continual improvement
However, she said it was important to remember that compliance with data regulation is not a tick-in-the-box exercise nor an end state. “It is a process of continual improvement as organisations adjust their processes in response to the findings of regular reviews. Everything that is implemented or changed needs to be tested and adjusted again if necessary.”
Although it has been a year since the enforcement of the GDPR, Cabella said it was still too early to say what the longer-term effects and benefits would be.
Cristina Cabella, IBM
While there have been no dramatic changes, magical fixes or the huge number of large fines some people expected in the wake of 25 May 2018, she said the overall understanding of privacy issues was better with increased maturity both among organisations and consumers, who are more aware of their rights and are increasingly holding organisations to account.
“Only in time will we see if all the GDPR-related work that has been done will prove to be effective in transforming business practices, but any companies that have ultimately failed to go beyond a box-ticking exercise will eventually realise that they have missed an important business opportunity,” she said.
While some organisations still have work to do after a full year of GDPR, Cabella said she was confident that most companies had embraced the GDPR as a positive change. “We are already seeing that consumers are more confident in a system that is clear, transparent and trustworthy, but we need more time to see to what extent this has changed and that a good foundation for trust has been established.”
Expect more GDPR enforcement action
In the year ahead, Cabella said she expected to see more enforcement action, as well as the emergence of more clarity on how the data protection authorities in the various EU member states will approach enforcement action and how the European Data Protection Board (EDPB) will coordinate that action.
“GDPR enforcement action has been relatively limited in the first year as data protection authorities have settled into the new data protection rules, and is it also natural that it takes time to review all complaints, identify legitimate cases, carry out investigations and consider responses,” she said.
At the same time, Cabella said organisations needed to understand that issuing a fine was only one enforcement option. “In many cases, data protection authorities may opt instead to engage with organisations and make recommendations about how to improve their data handling processes and mitigate risks,” she said.
In the year ahead, Cabella also welcomed the prospect of GDPR certification schemes from the EDPB and data protection authorities in the various EU member states. The UK data protection watchdog, the Information Commissioner’s Office (ICO), recently announced it would welcome enquiries from organisations about setting up such schemes.
“There is a lot of appetite for such certifications and this is a valid alternative to enforcement because it is about enabling companies to certify by giving evidence of the standard they are adopting and we are all looking forward to the first certification schemes becoming available.”
Once these GDPR certification schemes are available in all the EU countries in which IBM does business, Cabella confirmed that she would definitely consider certification.
Read more about GDPR
- A year after the official implementation of the GDPR, it is important to highlight the positive opportunities that compliance provides and the insights breach reports are providing, say Deloitte consultants
- Lawyer Elle Todd looks at what can be learned from the first year of the GDPR’s implementation that can help organisations deliver benefits from the regulation.
- The ICO is calling on data protection officials to help kick off the next phase of the GDPR by embedding sound data governance.
- The ICO has launched the first phase of an initiative aimed at enhancing data protection while supporting business innovation.