IBM Support

GDPR updates for Resilient V30.4 (September 2018)

How To


Summary

GDPR updates for Resilient V30.4 (September 2018)

Steps

GDPR updates for Resilient V30.4

The European Union (EU) General Data Protection Regulation (GDPR) enforcement date is 25 May 2018, and IBM Resilient has updated its Privacy Module for complying with the personal data breach notification requirements under the GDPR. Non-compliant organizations might face heavy fines.

The list of GDPR-compliant regulators depends on the version of Resilient installed, as shown in the following table:

Date Resilient version GDPR-compliant regulators
April 2018 V30.0

Not supported
May 2018 V29.5 and V30.1

Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom
June 2018 V30.2

As for V30.1, and Iceland, Liechtenstein, Norway
August 2018 V30.3

As for V30.2
September 2018 V30.4

As for V30.3, and Gibraltar, Guernsey, Isle of Man, Jersey

The following GDPR updates are provided in Resilient V30.4:

  • Four new European regulators have been added: Gibraltar, Guernsey, Isle of Man, and Jersey.
  • The GDPR Breach Risk Assessment has been renamed to Europe Breach Risk Assessment.
  • The associated condition has been updated to replace the individual regulator values with a single new generic value. The new value applies to all regulators that are defined as Breach Risk Assessment Regulators. Therefore, if the list of Breach Risk Assessment Regulators is changed, the condition automatically triggers the risk assessment accordingly.

Customers can implement the latest Resilient GDPR functionality as follows:

  • For new installations of Resilient V30.4, the latest GDPR functionality is automatically provided.
  • To apply the latest GDPR functionality to existing Resilient installations, you must manually update the New Incident Wizard layout and the incident Breach tab layout. If you already updated your layouts to apply the GDPR functionality in a previous version of Resilient, you must make additional minor modifications. See the instructions in the next section for details.

Updates for existing customers

As an existing customer, your layouts remain unchanged during installation to retain any customizations. GDPR regulatory updates are not available to existing customers unless you update the incident Breach tab layout and the New Incident Wizard layout to match the GDPR changes made by IBM Resilient, as described in the instructions below.

Note: These instructions guide you through changing some field names, tooltip strings, and layouts to incorporate terminology from the GDPR legislation. It is not a requirement to make these terminology changes, and you are free to configure these fields with any terminology of your choice. However, they have been designed to conform better to GDPR. Also, your current layouts might not look exactly the same as the layouts described here, depending on which version of Resilient you started with and what customizations you've made.

To use the GDPR regulatory updates in the Resilient platform, you must - at a minimum - complete the following steps:

  • Add the GDPR step to the New Incident Wizard.
  • Add the GDPR Breach Risk Assessment widget to the incident Breach tab.

Update the New Incident Wizard

If you do not want to retain any customizations in the New Incident Wizard, you can apply the latest updates as follows:

  1. In the system menu, click Customization Settings.
  2. Click Layouts > New Incident Wizard to open the New Wizard page.
  3. Click Restore to default.

If you want to retain customizations in the New Incident Wizard, apply the latest updates manually as follows:

  1. In the system menu, click Customization Settings.
  2. Click Layouts > New Incident Wizard to open the New Wizard page.
  3. If you have already made these changes to the Data Compromised field, skip this step.
    Otherwise, in the Fields list, find the Data Compromised field. Click the edit icon to open the Editing Field window.
    1. In the What is the label for this field field, replace the existing text with the following text:
      Was personal information or personal data involved?
    2. In the Tooltip field, replace the existing text with the following text:
      Determine whether personal information/data was foreseeably involved, disclosed, compromised, accessed, altered, destroyed, damaged, lost or inaccessible.
    3. Click Save.
  4. If you have already made these changes to the Harm Foreseeable field, skip this step.
    Otherwise, in the Fields list, find the Harm Foreseeable field. Click the edit icon to open the Editing Field window.
    1. In the What is the label for this field field, replace the existing text with the following text:
      Is harm/risk/misuse foreseeable?
    2. In the Tooltip field, add the following text:
      Different jurisdictions use harm, risk, misuse, ID theft, and other standards as safe harbors from notification. Interpretation of these terms has frequently been the subject of litigation.
    3. Click Save.
  5. If you have already made these changes to the PII step, skip this step.
    Otherwise, edit the PII step as follows:
    1. Click the Step Settings icon to open the Edit Step window.
    2. In the Step Label field, replace the existing text with the text Privacy and click OK.
    3. In the Personally Identifiable Information (PII) block, click the Edit icon.
    4. In the value field, replace the existing text with the text Privacy and click OK.
  6. If you previously added the GDPR Breach Risk Assessment step, edit the values as follows:
    1. Click the Step Settings icon to open the Edit Step window.
    2. In the Step Label field, change the existing text to Europe Breach Risk
      Assessment.
    3. Beside the Regulators condition, click Remove to delete all existing regulators.
    4. Click Add Condition.
      From the conditions list, select Regulators.
      From the options list, select Breach Risk Assessment Regulators.
      Click OK.
    5. In the GDPR Breach Risk Assessment block, click the Edit icon to open the Edit
      Value window.
    6. Change the existing text to Europe Breach Risk Assessment and click OK.
  7. If you did not previously add the GDPR Breach Risk Assessment step, add the step as follows:
    1. Click Add Step.
    2. In the new step, click the Move Down icon to move the step to the end of the page.
    3. Click the Step Settings icon to open the Edit Step window.
      1. In the Step Label field, add the following text:
        Europe Breach Risk Assessment
      2. Click Add Condition.
        From the conditions list, select Was personal information or personal data involved?.
        From the options list, select Yes.
      3. Click Add Condition.
        From the conditions list, select Regulators.
        From the options list, select Breach Risk Assessment Regulators.
      4. Click OK.
    4. From the Blocks section, drag a Header block to the new Breach Risk Assessment step.
      1. In the new header block, click the Edit icon to open the Edit Value window.
      2. In the value field, add the following text:
        Europe Breach Risk Assessment
      3. Click OK.
    5. From the Views section, drag a GDPR Form view to the new Breach Risk Assessment step, and insert it under the header block.
  8. At the top of the New Wizard page, click Save to apply all of the modifications.

Update the Breach tab layout

If you do not want to retain any customizations in the Breach tab layout, you can apply the latest updates as follows:

  1. In the system menu, click Customization Settings.
  2. Click Incident Tabs > Breach to open the Incident: Breach page.
  3. Click Restore to default.

If you want to retain customizations in the Breach tab layout, apply the latest updates manually as follows:

  1. In the system menu, click Customization Settings.
  2. Click Incident Tabs > Breach to open the Incident: Breach page.
  3. If you have already made these changes to the PII section, skip this step.
    Otherwise, edit the PII section as follows:
    1. In the Personally Identifiable Information (PII) block, click the Edit icon.
    2. In the value field, replace the existing text with the text Privacy and click OK.
    3. Click Save.
  4. If you have already removed the old GDPR section, skip this step.
    Otherwise, find the old GDPR section, which contains the Risk of Harm field and the Lawful Data Processing Categories field.
    1. Click the Remove Section icon to delete the section.
    2. Click Save.
  5. If you previously added the GDPR Breach Risk Assessment section, edit the values as follows:
    1. Click the Section Settings icon to open the Edit Section window.
    2. Beside the Regulators condition, click Remove to delete all existing regulators.
    3. Click Add Condition.
      From the conditions list, select Regulators.
      From the options list, select Breach Risk Assessment Regulators.
      Click OK.
    4. In the GDPR Breach Risk Assessment block, click the Edit icon to open the Edit
      Value window.
    5. Change the existing text to Europe Breach Risk Assessment and click OK.
  6. If you did not previously add the GDPR Breach Risk Assessment section, add the section as follows:
    1. From the Blocks section, drag a Section block, and insert it between the HIPAA step and the Assessment step.
      1. In the new section block, click the Section Settings icon to open the Edit Section window.
      2. Click Add Condition.
        From the conditions list, select Regulators.
        From the options list, select Breach Risk Assessment Regulators.
      3. Click OK.
    2. From the Blocks section, drag a Header block to the new section.
      1. In the new header block, click the Edit icon to open the Edit Value window.
      2. In the value field, add the following text:
        Europe Breach Risk Assessment
      3. Click OK.
    3. From the Views section, drag a GDPR Widget view to the new section, and insert it under the header block.
  7. At the top of the Incident: Breach page, click Save to apply all of the modifications.

Exceptions and special situations

  • The GDPR functionality is provided in Resilient V29.5 but not in Resilient V30.0. Therefore, it is not possible to upgrade from Resilient V29.5 to Resilient V30.0. If upgrading from Resilient V29.5, you must upgrade to at least Resilient V30.1 or later.
  • The preliminary Regulator - EU - GDPR (preliminary) - introduced in Resilient V27.1 has been removed. Any incidents created with that regulator should be discarded or ignored.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
19 April 2021

UID

ibm11160188

Page Feedback