The GDPR (General Data Protection Regulation) seeks to create a harmonised data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world. The Regulation also introduces rules relating to the free movement of personal data within and outside the EU.

Individuals are increasingly data-savvy and:

  • Understand how brands use their data for sales and marketing purposes
  • Are aware of their rights with regard to their personal data
  • Are concerned about the well-publicised threat of cyber data theft

Most organisations are concerned about the potential significant financial penalties the Regulation can bring, but some forward-thinking companies are also planning how to turn GDPR into an opportunity in 2017.

IBM’s commitment to GDPR readiness

IBM is committed to providing our clients and partners with innovative data privacy, security and governance solutions to assist them on their journey to GDPR compliance.

Trust in Data

Data and its protection are becoming increasingly important to individuals and society. Enterprises must earn the public’s trust in their ability to steward information. As IBM’s long history of security and privacy leadership demonstrates, IBM understands that protecting privacy is essential to gaining trust. IBM was one of the first companies to appoint a Chief Privacy Officer, to develop and publish a genetics privacy policy, to be certified under the APEC Cross Borders Privacy Rules system, and to sign the EU Data Protection Code of Conduct for Cloud Service Providers. Now, IBM is continuing its long-standing leadership in the area of data privacy by responding proactively to the General Data Protection Regulation (GDPR).

IBM Commits to GDPR Readiness

IBM currently complies with privacy laws around the world. IBM is also preparing to comply with the European Union’s new General Data Protection Regulation (GDPR) which will go into effect in May 2018. IBM has established a global project to prepare for GDPR, both for our internal processes and for our commercial offerings. IBM recognises that our customers will rely on IBM’s offerings and technical assistance to achieve GDPR compliance within their own organisations and IBM is well-positioned to meet this critical need.

As part of its GDPR project, IBM is enhancing its ongoing commitment to privacy by design. IBM is working to embed data protection principles even more deeply into its business processes, with the objective that technical and organisational security measures limit, by default, the amount and use of personal data to what is specifically required. This work will also strengthen controls already in place to limit access to personal data, including with respect to mobile applications that rely on sensible default settings to prevent personal data from being inadvertently shared with others.

Read the eBook

How can IBM help on your journey to GDPR readiness?

IBM offers comprehensive solutions, services and expertise to help support your journey to GDPR readiness. There are five key areas that need to be addressed.


Protection of the fundamental privacy rights (e.g. protecting the security and confidentiality of Personal Data, but also providing proper use, notice, consent, choice, access, rectification and erasure, just to name a few.


Determine how you can translate GDPR into actions, norms and values. Consider what measures need to be taken, are they effective and how can you improve them.


IBM Cloud is agile and scalable with built-in data security and privacy services and solutions that can be consumed on premises or as SaaS offerings. Our comprehensive data security platform helps safeguard sensitive data wherever it resides and provides a full range of data protection capabilities.

People, Processes and Communications

Train your employees on GDPR requirements. They need to understand the risks and impact of improper data use. Take a look at your processes: how GDPR will influence them, what’s the impact and how you can manage the required changes.


Govern and ensure the quality of your data, assess what data you have, what you’re using it for and consider how you can interact with individual customers, clients, or third parties. This is crucial for offering transparency and trust which is demanded from GDPR.


GDPR is more than just information security, data governance or training employees. It is complex and far-reaching legislation, comprising many components that touch organizations in numerous ways and at all levels.

At the same time, GDPR is just the latest in the ever-increasing number of regulations which needs a strong Information Governance program and technical framework to succeed. A comprehensive approach is required, taking all of its aspects into consideration.

The assessment we developed can be a great help with that, whether your company has already begun tackling GDPR or is preparing its first moves. The assessment begins with determining the main GDPR stakeholders in your organization per key area of attention. This is done together with the person responsible for data privacy in your organization (you may even already have a special data privacy officer in place). These stakeholders might be: representatives of the HR department, for communication, training and personnel data; of the marketing department, for protecting your brand and your customer data; and of the IT department, for security issues. Interviews and workshops will be planned with all these people.


There are two versions of the assessment.

The first is ‘speed week’. This assessment takes just one week and is intended for companies which already have a GDPR readiness plan in place. Together we will look at your roadmap to determine how complete it is. This will result in recommendations on how to realize your goals, speed-up the process and increase your chance of success.

Or do the full assessment, this takes four to six weeks, depending on the number of stakeholders involved. It will address all five key areas and GDPR requirements. Both types of assessments will lead to a practical roadmap, in a short period of time, drawn-up in close co-operation with your internal stakeholders and owned by your data privacy officer or designated individual.

Both types of assessments will lead to a practical roadmap, in a short period of time, drawn-up in close co-operation with your internal stakeholders and owned by your data privacy officer or designated individual.


The main goal of the IBM assessment is to create a road map to help prepare your organization for GDPR, looking at the five main areas of attention to determine what needs to be done. These areas are governance, people and communication, processes, data and security. The focus should be on where your company’s biggest risks are and to be sure to address these issues first – helping you to become ready for the respective GDPR requirements by May 2018.

Checklists and accelerators

Checklists and accelerators ensure the effectiveness of the sessions. We developed GDPR outcome-based materials like an overview of all GDPR requirements and measures, a list of all types of personal data, but also ready-to-use agendas to be customized for the different participants in the interviews or workshops. This way processes that could take weeks can be handled more quickly.

During the workshops the GDPR requirements are weighed against the processes, norms and values of your company in a consistent manner. The gaps and priorities found will lay the foundation for your roadmap.