Data Security and Privacy

The Data Security and Privacy group specializes in developing algorithms and tools for data protection, privacy in machine learning, data security in the cloud and more.

Data Policy and Consent Management

Consent Management solution IBM deployments

The Data Policy and Consent Management asset was used in several engagements with the different BUs to give the underlying privacy compliance for privacy regulation such as GDPR and HIPAA. Using our DPCM technology, IBM’s Watson Health Platform has been the first to offer these capabilities commercially as part of their clinical trial selection and their flagship inhalator product line.

The Chief Data Office adopted the asset to provide internal IBM applications with a unified way to collect, manage and enforce user consent. It is the engine under the hood of IBM preference center, accessible for any person who have registered with or may have interacted with IBM representatives before by e-mail or phone.

Most recently, IBM Security has incorporated DPCM in their Security Verify (ISV) offering to provide advanced purpose-driven consent management capabilities, enabling customers to make an organizational shift towards simplifying how a privacy/risk/compliance officer stays abreast with changing regulations, while the application developer integrates with simple interfaces and focuses on the user experience.


Igor Gokhman, Data Security and Privacy, IBM Research - Haifa

Igor Gokhman,
Data Security and Privacy,
IBM Research - Haifa

A brief overview of the technology

Ensuring that your customers’ personal data is used appropriately is key to trust. Our team at IBM Research - Haifa are helping build that trust with a new approach to privacy. Our technology captures how data is used in the enterprise, helps manage data subject consent, and addresses compliance with privacy regulations.

Enterprises today do not have any way to automate the enforcement of privacy regulations because consent is not linked to the data collected. We identified these challenges and developed a set of capabilities called Data Policy and Consent Management (DPCM) to address them.

  • The first challenge is to record the purposes for which personal data is used. We provide mechanisms for capturing purpose together with the data required for each purpose, and information about how long the data is needed. The latter provides important information for addressing proportionality, which ensures that data is only used and stored for as long as required for a given purpose.
  • The second challenge involves consent. It must be very clear to the user/customer what their data is being collected for, and the customer must have control over how her data is used. For example, all or nothing terms and conditions are now very problematic under new privacy regulations in Europe.
  • The third challenge is how organizations can address privacy regulations and determine appropriate policies. These business policies need to describe: what personal data is being processed, for what purposes, and the legal basis under which it is being processed, including whether consent is being relied upon. Organizations also need to understand in which countries EU personal data is being processed and ensure that they have the appropriate legal protections in place. Our tool enables enterprises to capture and model this information in what we call “policies”.

Purpose Modeling and Management

This feature helps businesses formally model the purposes for which they need personal data and the data associated with these purposes. It allows them to mark data as mandatory/optional and to indicate obfuscation techniques that can be used to anonymize or mask the data. This means data officers, privacy officers, and offering managers can directly control how sensitive data is handled.

Data Subject Consent Management

This capability provides true transparency. It lets the business share with the end user what data is needed for which purposes. And, the consent choices made by the end user for each purpose are stored in a central repository for use by all channels (web, mobile, call center, etc) and all applications in the organization. There is no need to worry about how to propogate the consent across multiple channels, such as web, mobile, call centers, etc.

Policy Modeling and Management

  • Including GDPR, HIPAA out of the box as examples
  • Support for enterprise policies

Purpose Based Governance Logic

When data is stored, queried, or transfered, our proprietary governance logic provides guidance on whether and how sensitive and personal data can be used. It leverages both the “policies” as defined by the enterprise in the tool as well as the consent provided by the end user to make the decision.

Governance Logging and Reporting

All changes to purpose, consent, and policies as well as all decisions made by the governance logic are logged and accessible for reports. This is important information that can be part of the information showing compliance efforts.

Currently, consent is a general guideline not directly linked to the data. With this new approach from IBM Research, the consent is formally linked with the data.

IBM Consent and Privacy Policy Management