Ensuring that your customers’ personal data is used appropriately is key to trust. Our team at IBM Research - Haifa are helping build that trust with a new approach to privacy. Our technology captures how data is used in the enterprise, helps manage data subject consent, and addresses compliance with privacy regulations.
Enterprises today do not have any way to automate the enforcement of privacy regulations because consent is not linked to the data collected. We identified these challenges and developed a set of capabilities called Data Policy and Consent Management (DPCM) to address them.
The first challenge is to record the purposes for which personal data is used. We provide mechanisms for capturing purpose together with the data required for each purpose, and information about how long the data is needed. The latter provides important information for addressing proportionality, which ensures that data is only used and stored for as long as required for a given purpose.
The second challenge involves consent. It must be very clear to the user/customer what their data is being collected for, and the customer must have control over how her data is used. For example, all or nothing terms and conditions are now very problematic under new privacy regulations in Europe.
The third challenge is how organizations can address privacy regulations and determine appropriate policies. These business policies need to describe: what personal data is being processed, for what purposes, and the legal basis under which it is being processed, including whether consent is being relied upon. Organizations also need to understand in which countries EU personal data is being processed and ensure that they have the appropriate legal protections in place. Our tool enables enterprises to capture and model this information in what we call “policies”.
Sima Nadler Senior Program Manager Privacy & World Wide Retail Research Leader, IBM Research - Haifa
Purpose Modeling and Management – This feature helps businesses formally model the purposes for which they need personal data and the data associated with these purposes. It allows them to mark data as mandatory/optional and to indicate obfuscation techniques that can be used to anonymize or mask the data. This means data officers, privacy officers, and offering managers can directly control how sensitive data is handled.
Data Subject Consent Management – This capability provides true transparency. It lets the business share with the end user what data is needed for which purposes. And, the consent choices made by the end user for each purpose are stored in a central repository for use by all channels (web, mobile, call center, etc) and all applications in the organization. There is no need to worry about how to propogate the consent across multiple channels, such as web, mobile, call centers, etc.
Policy Modeling and Management -
Including GDPR, HIPAA out of the box as examples
Support for enterprise policies
Purpose Based Governance Logic – When data is stored, queried, or transfered, our proprietary governance logic provides guidance on whether and how sensitive and personal data can be used. It leverages both the “policies” as defined by the enterprise in the tool as well as the consent provided by the end user to make the decision.
Governance Logging and Reporting – All changes to purpose, consent, and policies as well as all decisions made by the governance logic are logged and accessible for reports. This is important information that can be part of the information showing compliance efforts.
Currently, consent is a general guideline not directly linked to the data. With this new approach from IBM Research, the consent is formally linked with the data.