Remember the Year 2000 Bug when the entire IT industry was frantically trying to handle dates with a four-digit year before Jan 1, 2000? Companies around the world spent billions of dollars updating their systems to alleviate problems with dates.

Now companies are facing an even bigger hurdle – how to appropriately collect and use personal information in an era of Big Data and cognitive systems. There are loads of privacy regulations for different countries and different industries, but the European Union’s GDPR ruling is changing the game.

GDPR affects all companies that possess any personal information concerning an identified or identifiable European data subject regardless of where the company is located. It goes into effect in May 2018 and has dramatic penalties for violators – up to 4% of global turnover or 20 million euros, whichever is larger. This means the GDPR is not something to be ignored. Unlike the Year 2000 Bug, GDPR and privacy compliance are not a onetime fix. They require ongoing efforts to comply.

IBM, and other companies, provide a broad range of services that address various parts of the compliance puzzle. There are tools for identifying personal data in the enterprise data stores, data management tools, security tools, and tools for capturing data policies, etc., as depicted here in a diagram of IBM’s capabilities.

We propose including the following steps as part of an enterprise’s efforts in addressing GDPR and other privacy regulations:

  1. Understand what personal data you an enterprise has collected, using an existing tool such as StoredIQ or Guardium
    • Personal data can be obvious things like government ID numbers, phone numbers, names and addresses, as well as less obvious ones like an IP address, a unique ID of the WIFI chip in a mobile device, genomic information, and even indirect identifiers like a unique job title.
  2. Identify and certify the valid purposes for which personal data is collected by your organization, and document in DPCM.
    • Remember to identify those you do not consider valid and that you do not want to collect or use.
  3. Identify all compliance regulations and laws that affect whether/how your organization is allowed to use personal data, and document in DPCM.
  4. Define specific policies for how you want your organization to use personal data and other sensitive data, and document in DPCM.
  5. Collect and enforce consent from users for specific data, and provide flexibility over how personal data may be used using DPCM capabilities.
  6. Subscribe to proportionality requirements by anonymizing, archiving or deleting personal data once it is no longer needed for the purpose(s) for which it was collected using tools such as Optim.


Sima Nadler, Senior Program Manager Privacy & World Wide Retail Research Leader, IBM Research - Haifa

Abigail Goldsteen, IBM Research - Haifa