pe3check -

IBM’s investment in automation pays off in GDPR’s first year

The first year of the EU’s General Data Protection Regulation has demonstrated the value of IBM’s investment in machine learning-based automation and the importance of having the right strategy and systems in place, according to the firm’s data protection officer

As part of its readiness programme for the EU’s General Data Protection Regulation (GDPR), IBM invested in machine learning technology to automate and accelerate the sourcing of compliance information, and that investment has paid off, according to Cristina Cabella, the company’s data protection officer (DPO) and chief privacy officer (CPO).

“Automating systems is key to ensuring an organisation is able to collect and correlate all the relevant information to be able to respond quickly and with more reliability,” she told Computer Weekly, adding that a number of tools that IBM developed in this regard have already been made available commercially for helping organisations with GDPR requirements and dealing with the huge uptick in data subject access requests.

“For example, IBM and Thomson Reuters recently launched a joint solution that uses AI [artificial intelligence] to analyse data from thousands of content sources enabling risk and compliance professionals to keep pace with complex and rapidly changing regulations,” said Cabella.

IBM’s investment in automation was a key element of the company’s GDPR readiness programme, which covered around 380,000 employees and dozens of distinct business units and operations in almost 200 countries, and included transformation work on systems and processes as well as training and education across the organisation.

“Unless organisations have done some automation, they will not be able to cope with the sheer volume of GDPR-related queries,” she said. “But automation alone will not solve the problem. It has to be done alongside work to clean data and implement uniform data taxonomy to ensure the efficiency of systems. At IBM, we say there is no AI before IA – Information architecture.”

Although smaller businesses may be able to comply without automation tools, Cabella said the help of such tools was absolutely key for medium-sized and large enterprises, especially where data is at the core of the company’s business model. “These companies need to prepare themselves, otherwise they risk failing compliance or losing competitive advantage by not being able to use their data effectively,” she said.

Good data protection and privacy is good business

Cabella agreed with the view that good data protection and privacy practices is good business because it enables organisations to get more value out of their data without infringing data subjects’ privacy rights, but this typically requires a shift in corporate culture.

“Unless organisations have done some automation, they will not be able to cope with the sheer volume of GDPR-related queries”
Cristina Cabella, IBM

“It is likely that many organisations will not yet have been able to make that shift in the year since the implementation of the GDPR because the focus has mainly been on compliance and avoiding the potential penalties. Not many companies have been focused on the business opportunities created by the GDPR, but I expect to see more of that in the coming year,” she said.

In light of the fact that many companies’ business models are based on data, Cabella said they should be shaping their data protection and security strategies around those business models and what they want to do with the data they collect.

“Based on that, they need to prompt changes to their privacy notices, terms and conditions of business and all the systems that support these policies,” she said.

“If, however, they just fix individual pieces, they will continually need to apply fixes, but will never solve the big problem by having a more effective and competitive market proposition through greater simplicity and transparency, which will be more attractive to consumers and potentially drive greater business success.

“At IBM, we achieve this by having in place core and long-standing principles that guide our handling of client data and insights, and the responsible development of new technologies. We encourage others to do the same,” said Cabella.

Preparation and collaboration cement skills

GDPR preparation also drove IBM’s commitment to a single compliance framework that was consistently binding on everybody, and greater collaboration between the firm’s security and privacy teams around data protection and cyber threats to enable a highly integrated incident response capability.

This too has proven to be the “right vision” through delivering value, said Cabella, especially in the light of the fact that since the GDPR, several other countries and US states have begun introducing data protection legislation, many of which include a particular focus on cyber security.

Although some of these differ from the GDPR, Cabella said all the work IBM has done in preparation for GDPR has provided a good foundation for adapting to any additional requirements. “In addition, the security elements have led us to intensify even further our drive to combine the efforts of IBM’s security and privacy groups.

“Privacy teams are now even more integrated with security teams because we believe neither should act without input from the other, and so we are continually increasing the level of collaboration, which is helping to broaden the skills of people working on both sides.”

These successes, said Cabella, underline the value of good preparation a year down the line. “All those companies that have worked hard to transform themselves can say that it was worth doing and is delivering returns in terms of being able to build better, more trusted relationships with customers. Trust is one of the most powerful brand attributes.”

Data privacy requires continual improvement

However, she said it was important to remember that compliance with data regulation is not a tick-in-the-box exercise nor an end state. “It is a process of continual improvement as organisations adjust their processes in response to the findings of regular reviews. Everything that is implemented or changed needs to be tested and adjusted again if necessary.”

Although it has been a year since the enforcement of the GDPR, Cabella said it was still too early to say what the longer-term effects and benefits would be.

“Any companies that have failed to go beyond a [GDPR] box-ticking exercise will eventually realise that they have missed an important business opportunity”
Cristina Cabella, IBM

While there have been no dramatic changes, magical fixes or the huge number of large fines some people expected in the wake of 25 May 2018, she said the overall understanding of privacy issues was better with increased maturity both among organisations and consumers, who are more aware of their rights and are increasingly holding organisations to account.

“Only in time will we see if all the GDPR-related work that has been done will prove to be effective in transforming business practices, but any companies that have ultimately failed to go beyond a box-ticking exercise will eventually realise that they have missed an important business opportunity,” she said.

While some organisations still have work to do after a full year of GDPR, Cabella said she was confident that most companies had embraced the GDPR as a positive change. “We are already seeing that consumers are more confident in a system that is clear, transparent and trustworthy, but we need more time to see to what extent this has changed and that a good foundation for trust has been established.”

Expect more GDPR enforcement action

In the year ahead, Cabella said she expected to see more enforcement action, as well as the emergence of more clarity on how the data protection authorities in the various EU member states will approach enforcement action and how the European Data Protection Board (EDPB) will coordinate that action.

“GDPR enforcement action has been relatively limited in the first year as data protection authorities have settled into the new data protection rules, and is it also natural that it takes time to review all complaints, identify legitimate cases, carry out investigations and consider responses,” she said.

At the same time, Cabella said organisations needed to understand that issuing a fine was only one enforcement option. “In many cases, data protection authorities may opt instead to engage with organisations and make recommendations about how to improve their data handling processes and mitigate risks,” she said.

In the year ahead, Cabella also welcomed the prospect of GDPR certification schemes from the EDPB and data protection authorities in the various EU member states. The UK data protection watchdog, the Information Commissioner’s Office (ICO), recently announced it would welcome enquiries from organisations about setting up such schemes.

“There is a lot of appetite for such certifications and this is a valid alternative to enforcement because it is about enabling companies to certify by giving evidence of the standard they are adopting and we are all looking forward to the first certification schemes becoming available.”

Once these GDPR certification schemes are available in all the EU countries in which IBM does business, Cabella confirmed that she would definitely consider certification.

Read more about GDPR



Read more on Privacy and data protection

Data Center
Data Management