How to establish a global data privacy framework

Posted on Posted in IBMBigData

As data privacy regulations continue to proliferate, establishing a global data privacy framework is becoming more essential than ever before. 80% of organizations will face at least one privacy-focused regulation within a few years.[1] The IBM Chief Privacy Office (CPO) took on the challenge of creating a truly global privacy framework to prepare for the enforcement of the EU General Data Protection Regulation (GDPR) over three years ago. The lessons from their experience, and the IBM products developed based on the challenges they faced, can help other businesses accelerate the adoption of their own global data privacy framework.

By the numbers

Overcoming IBM’s size was a chief concern in creating a truly global solution. The IBM CPO faced:

  • 6,000 internal processing activities and assets
  • Over 45 million website URLs
  • 400+ legal entities across more than 170 countries
  • 150,000+ partners worldwide
  • Over 13,000 global suppliers
  • 350,000 employees worldwide

A people, process, and technology approach

In developing the IBM Unified Privacy Framework, a new Business Unit Privacy Lead (BPL) role was established across all business units responsible for implementing processes and tracking remediation. The CPO has also been established at the highest level of the organization signifying the importance of its mission to infuse compliance through tooling, standardized processes, and employee education. By changing the “people” component of the organization, a much more unified, visible privacy effort gained traction.

A Personal Information Taxonomy was also created over twelve months with input from worldwide legal teams, the CPO, and the Chief Data Office (CDO). Creating the taxonomy involved a comprehensive assessment of industry and regulatory compliance and the creation of a reusable business vocabulary with definitions and business context. The taxonomy was then used to develop an Enterprise Policy Baseline that consolidates all global privacy requirements into a single set of control points that drives the compliance process. A Privacy Information Management System also automates the delivery and tracking of privacy assessments

These processes wouldn’t have worked without the technology to back them. The most important component was the common privacy services. A combination of custom-developed tools, IBM software solutions, and third-party services were used to manage data discovery, automate the processing of Data Subject Rights (DSR) requests and facilitate program management.

The Results

For IBM, the Unfied Privacy Framework resulted in the ability to prepare for new regulation such as the California Consumer Privacy Act (CCPA) using just a fraction of the time and effort required for the GDPR. Moreover, the metadata-driven approach allowed IBM to respond to regulator requests for details of IBM data flows between the European Union and United Kingdom in just days instead of weeks. Real-time reporting and supplier risk management processes help the business perform its duties in a more informed, consistent manner. And the best part is that everyone is working from a single, trusted source of the truth capable of delivering more uniform, accurate insights while reinforcing IBM’s reputation as a responsible data steward.

The lessons learned from the CPO experience helped strengthen IBM’s client offerings as well, so businesses can get a head start on a global privacy framework based on the work IBM has already done. Businesses following IBM’s lead could experience:

Shorter time to value

The IBM Personal Information Taxonomy is included as a Knowledge Accelerator within IBM Cloud Pak for Data. It provides clients with a structured list of over 150 data types which include PI, SPI, employee, and customer data. With it they can accelerate their efforts out-of-the-box by aligning business data with concepts from key regulations.

Continual enrichment 

IBM Watson Knowledge Catalog continually classifies business assets and assigns them to related business terms, building up the Business Core Vocabulary as a increasingly comprehensive repository of knowledge for the entire business over time.

Better DataOps ROI

A centralized repository of business knowledge is necessary for DataOps, acting as a foundation upon which Data Stewards, Business Analysts, and Data Engineers can coordinate. This can lead to more profitable DataOps initiatives.

Take the next step toward your Global Data Privacy Framework

The increase in both regulations and data show no sign of stopping anytime soon, so take advantage of the global privacy work IBM has already completed. The PI taxonomy Knowledge Accelerator within IBM Cloud Pak for Data, the IBM OpenPages® with Watson® unified governance, risk and compliance solution, and the cataloging and active management capabilities in IBM Watson Knowledge Catalog can help build a comprehensive solution. You can read the full IBM CPO case study or reach out to one of our data privacy experts at any time!

 

[1] The state of privacy and personal data protection 2020-2022, Gartner

The post How to establish a global data privacy framework appeared first on Journey to AI Blog.