Steps

Highlights

The European Union (EU) General Data Protection Regulation (GDPR) enforcement date is May 25, 2018, and IBM Resilient has updated its Privacy Module for complying with the personal data breach notification requirements under the GDPR. Non-compliant organizations might face heavy fines.

Customers can implement the Resilient GDPR functionality as follows:

• For new installations of Resilient V29.5 or Resilient V30.1, the GDPR functionality is automatically provided.
• To apply the new GDPR functionality to existing Resilient installations, you must manually update the New Incident Wizard and the Breach tab for individual incidents. See instructions in the next section for details.

Updates for existing customers

As an existing customer, your layouts remain unchanged during installation to retain any customizations. This means the GDPR regulatory updates will not be available to existing customers unless you complete particular steps to update the Breach tab and the New Incident Wizard to match the GDPR changes made by IBM Resilient, as described in the instructions below.

Note: These instructions guide you through changing some field names, tooltip strings, and layouts to incorporate terminology from the GDPR legislation. It is not a requirement to make these terminology changes, and you are free to configure these fields with any terminology of your choice, however, they have been designed to conform better to GDPR. Also note that your current layouts may or may not look exactly the same as the below depending on which version of Resilient you started with and what customizations you've made.

To use the GDPR regulatory updates in the Resilient platform, you must - at a minimum - complete the following:

• Add the GDPR step to the New Incident Wizard.
• Add the GDPR Breach Risk Assessment widget to your Breach

Update the New Incident Wizard

Update the New Incident Wizard, as follows:

1. Click OrgName > Customization Settings.
2. Open Layouts > New Incident Wizard.
3. In the Fields list, find Data Compromised and click the edit icon to open the Editing Field window. Then complete the following:
   1. In What is the label for this field, replace the existing text with the following:
      Was personal information or personal data involved?
   2. In the Tooltip field, replace the existing text with the following:
      Determine whether personal information/data was foreseeably involved, disclosed, compromised, accessed, altered, destroyed, damaged, lost or inaccessible.
   3. Click Save.
4. In the Fields list, find Harm Foreseeable and click the edit icon to open the Editing Field window. Then complete the following:
   1. In What is the label for this field, replace the existing text with the following:
      Is harm/risk/misuse foreseeable?
   2. In the Tooltip field, add the following text:
      Different jurisdictions use harm, risk, misuse, ID theft, and other standards as safe harbors from notification. Interpretation of these terms has frequently been the subject of litigation.
   3. Click Save.
5. Edit the PII step as follows:
   1. Click the Step Settings icon to open the Edit Step window.
   2. In the Step Label field, replace the existing text with Privacy and click OK.
   3. In the Personally Identifiable Information (PII) block, click the Edit
   4. In the value field, replace the existing text with Privacy and click OK.
   5. Click Save.
6. Click Add Step.
7. In the new step, click the Move Down icon to move the step to the end of the page.
8. Click the Step Settings icon to open the Edit Step window and complete the following:
   1. In the Step Label field, add the following text:
      GDPR Breach Risk Assessment
   2. Click Add Condition, and specify the following condition:
      Was personal information or personal data involved? is equal to Yes
   3. Click Add Condition, and specify the following condition:
      Regulators has one of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom
   4. Click OK.
9. From the Blocks section, drag a Header block to the new GDPR step and complete the following:
   1. In the new header block, click the Edit icon to open the Edit Value window.
   2. In the value field, add the following text:
      GDPR Breach Risk Assessment
   3. Click OK.
10. From the Views section, drag a GDPR Form view to the new GDPR step, and insert it under the header block.
11. Click Save.

Update the Breach tab layout

Update the Breach tab for individual incidents as follows:

1. Click OrgName > Customization Settings.
2. Open the Layouts > Incident Tabs > Breach tab.
3. Edit the PII section as follows:
   1. In the Personally Identifiable Information (PII) block, click the Edit
   2. In the value field, replace the existing text with Privacy and click OK.
   3. Click Save
4. Find the existing GDPR section, which contains the Risk of Harm field and the Lawful Data Processing Categories and complete the following:
   1. Click the Remove Section icon to delete the section.
   2. Click Save.
5. From the Blocks section, drag a Section block, and insert it between the HIPAA step and the Assessment
6. In the new section block, click the Section Settings icon to open the Edit Section window.
7. Click Add Condition, and specify the following condition:
   Regulators has one of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom
8. Click OK.
9. From the Blocks section, drag a Header block to the new section.
10. In the new header block, click the Edit icon to open the Edit Value window.
11. In the value field, add the following text:
    GDPR Breach Risk Assessment
12. Click OK.
13. From the Views section, drag a GDPR Widget view to the new section, and insert it under the header block.
14. Click Save.

Exceptions and special situations

• This new GDPR functionality is not provided in Resilient V30.0. Therefore, it is not possible to upgrade from Resilient V29.5 to Resilient V30.0. If you are planning to update to 29.5 now, you must upgrade to at least Resilient V30.1 when you're ready to move to Resilient 30.x or higher.
• The preliminary Regulator - EU - GDPR (preliminary) - introduced in version 27.1 of Resilient has been removed and any incidents created with it should be discarded or ignored.