Considerations for GDPR readiness

For PID:
5737-E33

Notice

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of Integrated Analytics System that you can configure, and aspects of its use that can help your organization with GDPR readiness. This information is not an exhaustive list due to the many ways that you can select and configure features, and the variety of ways it can be used in itself and with third-party applications and systems.

You are responsible for ensuring your own compliance with various laws and regulations, including the European Union General Data Protection Regulation. You are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect your business and any actions you may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that you are in compliance with any law or regulation.

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union (“EU”) and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing the personal data of individuals. GDPR brings:
  • New and enhanced rights for individuals
  • A widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

Read more about GDPR

Product Configuration - considerations for GDPR Readiness

The following sections provide considerations for configuring Integrated Analytics System to help your organization with GDPR readiness.

Configuration to support data handling requirements

The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data to be secured against loss through system failure and also through unauthorized access or via theft of computer equipment or storage media.

Integrated Analytics System is a standards-based data warehouse and analytics appliance. As an appliance, most of the security features for the product are built-in by default, but you should take note of the following considerations:
  1. Handle protection of data at rest
  2. Use a secure access method such as ssl/ssh to gain entry
  3. Control user access via Kerberos/LDAP
  4. Set appropriate access control methods for database/tables (especially where personal data is stored)
  5. Monitor data access

Configuration to support data privacy

IAS only provides ways to store and access data. You are responsible for handling data privacy aspects of data that is stored in IAS. If personal data are being collected and stored in the database and tables of IAS, make sure they are collected and accessed according to the GDPR guidelines. Also, make sure access to IAS is configured using some of the secure methods as mentioned in the next section.

Configuration to support data security

IAS provides various methods to protect the data stored in the system.

All database base interactions over the network can be made secure if you use SSL. Secure Sockets Layer (SSL) is a security protocol that provides communication privacy. You can find the information in the following document to configure SSL for database access: Secure Sockets Layer (SSL) support.

All remote connections to IAS should be accomplished through the SSH protocol.

You should ensure appropriate access permissions has been configured in the database and the database tables. This will provide additional layer protection against unauthorized access of the data. You can use the GRANT/REVOKE API calls as mentioned in the following document to configure authorization to databases and tables: SQL statements.

You should ensure that all users who access IAS have been given appropriate roles. Ensure that only the required users have been given administrator access. See the following topic on how to create different type of users and give them appropriate roles: User-defined user roles.

Ensure that only the required users in the organization have been given the default Administrator access for IAS. To view the default administrator users in IAS, see: Connecting.

You can also integrate IAS with an external LDAP directory such as OpenLDAP or Microsoft Active Directory for more secure user management in IAS.

See the following to configure external LDAP integration with IAS: External LDAP authentication.

IAS supports native encryption of data at rest for all data stored in the database tables. You can periodically rotate the master key that is used in this encryption. To learn how to rotate the master key, see: Db2® Warehouse native encryption.

IAS does not encrypt data that is kept outside the database, such as operating system logs, database logs, backups kept on the operating system filesystems, and user data files kept in the filesystems that are used to load and unload the database. So you should restrict the physical access of the IAS appliance in your data center. Also, make sure any storage media removed from the appliance is properly handled.

IAS is shipped with the remote root user access disabled by default. Only IBM Customer Support should be allowed to log in to IAS remotely if needed for any support purposes.

Data lifecycle

GDPR requires that personal data is:

  • processed lawfully, fairly and in a transparent manner in relation to individuals.
  • collected for specified, explicit and legitimate purposes.
  • adequate, relevant and limited to what is necessary.
  • accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.
  • kept in a form which permits identification of the data subject for no longer than necessary.

Integrated Analytics System (IAS) is a high performance, integrated data warehouse appliance. As a general purpose data warehouse appliance, IAS can be used to store a variety of data in a structured manner that can be later used for analytics and reporting purposes. Depending on your business needs, various type of data can be stored in IAS in the form of databases and tables. Being a general purpose data warehouse system, IAS does not restrict end users in storing and managing personal data in the native database and tables.

Apart from the business related data stored in the database, IAS also captures and manages operational data like user account details (such as remote IP address, userID, and local user credentials such as role).

Business data can be loaded in the database and tables residing in IAS through various means and at various stages as dictated by your business needs. This data gets loaded into the database in the following ways:

  • Bulk manner using methods such as loading from a file or restoring from a backup.
  • Explicitly loaded using user applications such as SQL Insert etc.

Operational data in IAS gets captured in logs and diagnostic files at various stages as determined by the architecture of the appliance.

A typical data lifecycle in IAS involves the following:

  • You collect the required data as defined by your business logic.
  • You then load that data into IAS.
  • You perform analytics on the stored data and view the analyzed data using various database applications including the ones that are supplied with IAS.
  • The data stored in IAS can also be managed by various administration tools that are provided as part of IAS.

Determine the purpose for obtaining, processing and/or storing the data

You obtain the data for analytics from various methods and sources as defined by your business logic.

Business data stored in the database and tables are mainly used by you for business analytics and reporting purposes. The operational data that is being captured in the appliance logs and diagnostic files will be used mainly for troubleshooting purposes of the appliance.

IAS uses the Db2 Warehouse product as the core entity that manages business data stored in the database and tables. You can also look into the deployment guidelines document of Db2 and Db2 Warehouse offerings for more insights on how data is managed within the database and tables.

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (This cannot apply if you are a public authority processing data to perform your official tasks.). IBM customers are responsible for getting one of the above lawful bases for each of the data they collect and load into the IAS for processing.
Explicit requirements
  1. Ensure the appropriate consent is in place - contract, service, explicit Data Subject consent.
  2. Understand where the data resides in the application/solution.
  3. Ensure the data is secured through:
    • encryption,
    • access control,
    • additional controls.
  4. Ensure the retention period of this data is clearly defined.
  5. Ensure the data is deleted at the end of the retention period.
  6. Ensure all the Data Subject rights can be fulfilled:
    • Higher standards for privacy policies and statements and for obtaining consent
    • Easier access to personal data by a data subject
    • Enhanced right to request the erasure of their personal data
    • Right to transfer personal data to another organization (portability)
    • Right to object to processing now explicitly includes profiling
Personal data used for online contact with IBM
Integrated Analytics System clients can submit online comments/feedback/requests to contact IBM about Integrated Analytics System subjects in a variety of ways, primarily:
  • Public comments area on pages in the Integrated Analytics System community on IBM developerWorks
  • Public comments area on pages of Integrated Analytics System documentation in IBM Knowledge Center
  • Public comments in the Integrated Analytics System space of dWAnswers
  • Feedback forms in the Integrated Analytics System community

Typically, only the client name and email address are used to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.

Data collection

The type of data and the methods to collect the data that will be stored in IAS is fully determined by IBM customers. IAS does not provide any explicit methods to aid in collecting data in a GDPR complaint manner.

Data storage

Storage of account data

The user accounts of administrators and other IAS users are stored and managed by LDAP. Strong passwords are recommended for all user accounts created in IAS. Passwords for all users created in IAS are stored in LDAP and are encrypted. For better protection and management, integrate IAS with an external LDAP directory such as Windows Active directory. See the following for information on how to manage users in IAS: .

Storage of client data

If you are loading and storing personal data in the database and tables of IAS for your business needs, you need to make sure that you follow best practices to protect those tables. See the SQL SQL statements for more details on how to GRANT/REVOKE access and authorities etc. to data stored in the database tables of IAS. Currently, IAS encrypts client data ONLY if it is stored in the database tables of IAS, so any client data uploaded into IAS by using files should be removed after loading their data into the database.

Some parts of client data stored in the database tables can get captured in the logs and diagnostic files of IAS to aid in troubleshooting. You should carefully manage these files outside of IAS.

Storage in backup

Backup of client data is achieved by backup of the database tables. By default, the database table data kept in the backup is encrypted. But it is still recommended that you carefully manage the storage and distribution of these backup images outside the IAS appliance.

Data access

Who can access data in your offering?

IAS users can be granted different types of roles as required by business needs. These roles range from appliance administrator to a simple database user. Users can be given either database or platform access, or both. In addition to giving users access to databases and tables, you can also GRANT/REVOKE different types of access at table or other database object levels in order to manage the data stored in IAS. See User-defined user roles for more details on how to give a user different types of roles for accessing IAS.

Data processing

Encryption in motion

IAS supports SSL-based database connections to manage which database client applications can interact with database tables in a secure format. It is recommended that if you are storing or accessing personal data in the database tables of IAS, you should use SSL connections. See Secure Sockets Layer (SSL) support for more details.

For non-database interactions in IAS, always ensure that clients such as SSH/SCP be used for login or file upload/download purposes. Interaction by using the web console of IAS is recommended for performing many of the administrator-related operations.

Encryption at rest

Only data kept in the database tables of IAS are encrypted in storage. The IAS database technology fully manages this encryption. For more information on how IAS manages database encryption, see Security. It is recommended that you rotate the master key periodically for better protection.

Non-database data such as data load files, database logs, system logs, system diagnostic dumps, etc. are kept in the local filesystem and are not encrypted at rest. Hence it is recommended that the IAS appliance be kept in a secure location in your data center, preferably with multiple layers of security around the physical access. Ensure that before any storage component replacement on IAS, that data in that component is securely erased. Physical destruction of the old storage component is also preferred.

Encryption key ownership

Since encryption of data in the database tables of IAS is managed by the database, clients need to manage only the key rotation.

Data deletion

Right to erasure

Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors - without undue delay - under a set of circumstances.
Data deletion characteristics
Data stored in IAS can be deleted by using one of the following methods:
  1. Data stored in database tables can be deleted either by dropping the tables when no longer needed or by SQL commands like DELETE /TRUNCATE etc .
  2. Data stored outside the database such as data load files, query outputs etc can be deleted by the administrator using filesystem utilities.
  3. Data stored in database and system logs or diagnostic dumps should be managed manually. Many of these logs are automatically deleted by IAS itself. But it is recommended that the system administrator periodically clean up old logs and dumps in the system.

Data monitoring

Customers should regularly test, assess, and evaluate the effectiveness of their technical and organizational measures to comply with GDPR. These measures should include ongoing privacy assessments, threat modeling, centralized security logging and monitoring among others.

Log monitoring

Database diagnostic logs will show information related to operations performed on the database tables by users. Other system logs can give details on logged-in users such as userid/group as well as location data such as the IP address from which the user has logged in.

Data monitoring

IAS also provides a number of monitoring interfaces in the form of table functions and event monitors. These features can be used for ad hoc monitoring of database activity. For more information, see Database monitoring.

You can also use external products to audit database activity, such as IBM Guardium Data Protection for Databases.

Activity monitoring

System audit and database audit logs can provide information on various activities in the IAS appliance.

Responding to data subject rights

Will your customers be able to address Data Subject requests from their customers?

Personal data stored in IAS in the form of database and table objects can be accessed, modified, and deleted upon request by using database API calls. See the IAS product documentation on various methods that can be used to access the data stored in IAS. Your business logic is responsible for maintaining the location of this data in IAS so that it can be accessed upon request.