Skip to main content

Assessing GDPR's Reach

Petra Bührer

When it comes to General Data Protection Regulation (GDPR), a new European law related to data protection, it’s important to review the meaning of “data protection.” In the U.S., data protection is often referred to as “data security,” but in the European Union (EU), data protection has a much broader meaning: It stands for data privacy and data security. The regulation, which goes into effect May 25, intends to protect individuals sharing data with organizations (i.e., to shift control back to individuals and hold organizations accountable).

Worldwide Reach

GDPR specifies how consumer data should be used and protected and is unique in terms of scope, impact and reach. It affects businesses across the globe because every enterprise not only within the EU, but those doing business with EU citizens. And there’s a new component: Controllers and processors are jointly liable for breaches and have an obligation to self-audit their GDPR compliance. They must be able to demonstrate their compliance to supervisory authorities and individuals, including documentation of explicit consent.

As a result, organizations have to rethink the way they do data management. Enterprises are required to report breaches within 72 hours and thus need to have mechanisms in place to not only protect against breaches, but also to detect and report them in a timely manner. Failure to comply with the GDPR can lead to fines of up to 4 percent of the organization’s worldwide annual turnover for that organization or 20 million euros, whichever is higher.

Your Partner in Compliance

It's important to approach GDPR holistically—and education is an important part of that. IBM offers a comprehensive approach to GDPR with solutions and services from assessment to full-scale implementations ( Moreover, the IBM Power Systems* platform can help organizations from an infrastructure standpoint as security is baked into the architecture. IBM also offers solutions for multifactor authentication native on the Power Systems platform, compliance automation (including pre-built profiles for various industry standards to harden your systems), malware intrusion prevention, patch management, trusted logging and more with its PowerSC portfolio. And IBM Storage can help with the encryption of processed personal data, as well as controlled data placement and tracking of physical copies in a central inventory or copy data management.

However, to address GDPR sufficiently, the business process and data management layer must be examined as well. There won’t be a single solution that will address all the requirements of GDPR due to its broad scope.

There’s good news for clients who already have to comply with PCI DSS, NIST 800-53 or ISO 27001: They’re already on the right path to adhere to GDPR. For best results, get started now (if you haven’t already), and reach out for support on your GDPR journey!

Delivering the latest technical information to your inbox.