IBM API Connect Considerations for GDPR Readiness

Information about features of IBM® API Connect that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness.

For PID(s): 5725-Z22 5725-Z63

Notice:

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of API Connect that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

  1. GDPR
  2. Product Configuration for GDPR
  3. Data Life Cycle
  4. Data Collection
  5. Data Storage
  6. Data Access
  7. Data Processing
  8. Data Deletion
  9. Data Monitoring
  10. Capability for Restricting Use of Personal Data

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.

Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification
Read more about GDPR

Product Configuration - considerations for GDPR Readiness

The following sections provide considerations for configuring API Connect to help your organization with GDPR readiness.

Configuration to support data handling requirements

The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data to be secured against loss through system failure and also through unauthorized access or via theft of computer equipment or storage media.

IBM API Connect stores identity data in a local database. This encompasses both clients' employee identity data and end users' identity data. Direct access to this database is not available. This data is encrypted by default in IBM API Connect Version 5.0 - refer to Disk encryption for details. Identity information collected is protected in transit, refer to TLS profiles for details on configuring TLS profiles.

API Connect supports a variety of user registry types for authenticating users. Refer to Authenticating by using your enterprise user registry for details. When using a local user registry, passwords are stored in encrypted form in the local API Connect database. If you want alternative password management, leverage a non-user registry option to manage passwords.

Administrators, that you define, can view identity information. Administrators can take backups that include identity information. It is your responsibility to protect these backups.

A core component for an API Connect deployment are gateways. Refer to API Gateways for details about gateways. DataPower® Gateways are commonly leveraged, refer to DataPower Gateway Version 7.7 Documentation for details on DataPower Gateways. Refer to the DataPower Gateway deployment guidelines document for considerations for configuring DataPower Gateways to help your organization with GDPR readiness.

Configuration to support Data Privacy

For Developer Portal, you can customize the privacy policy statement, refer to Customizing the privacy policy statement for details.

Configuration to support Data Security

To learn about securing your solution, use the API Connect product documentation (https://www.ibm.com/support/knowledgecenter/en/SSMNED_5.0.0) and search for security.

Data Life Cycle

GDPR requires that personal data is:
  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit and legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.
  • Kept in a form which permits identification of the data subject for no longer than necessary.
What is the end-to-end process through which personal data go through when using our offering?

API Connect collects and stores identity information, including first and last name, and email address, for the purposes of user registration. Cloud Manager and API Manager accounts are for your employees (or designated actors). Developer Portal accounts are for your consumers of your APIs. Identity information can be collected directly from users or can be copied from LDAP registries. In situations where non-local user registries are used, only email address is copied from LDAP registry. Developer Portal user accounts can be deleted - refer to Deleting your Developer account for details. Cloud Manager and API Manager user accounts' identity information can be anonymized by users.

Users of the API Manager UI can publish Products and APIs to the Developer Portal for Application Developers to access and use. Refer to Developer Portal: discover and use APIs to learn about Developer Portal. Developer Portal accounts are for consumers of your APIs. You can define and customize a terms and conditions statement that your users must accept before they can register to use your Developer Portal - refer to Customizing the terms and conditions statement for details.

API Connect optionally logs information related to API invocations. This capability in API Connect is known as API Analytics. Refer to API Analytics for details about API Analytics.

The API Analytics log information can optionally include unknown / unclassified information such as query headers and request and response information related to API calls - you control defining the APIs and data associated with API invocations. To disable API Analytics, refer to Enabling or disabling access to analytics event data in API Connect. Logging preferences can be configured at the API level, refer to Activity Log for details.

The retention period for Analytics data is configurable - refer to Specifying the cloud settings for details. Backup capability for this information is not available.

API Connect logs collect technical information related to service use including tracing of service execution and sequences of operation use. Other technical data related to service use includes data values that define the mechanisms used to connect to the service, for example, IP address. This data is collected for debugging and service improvement. Service diagnostics are collected during unexpected or error situations to allow the offering team to correct the situation and hopefully prevent it from occurring in the future. There is no direct access available to these logs. These logs are managed by API Connect and rollover based on size and time criteria. The logs can be downloaded from the system, refer to Gathering postmortem information about your servers for details.

API Connect can generate audit events. An audit event is logged from each management node when there are changes to the API lifecycle or to the organization. For example, publishing a product or creating an organization would trigger this event. The audit event record contains information about the changes to the API lifecycle or organization. Refer to Audit event fields for details. The retention for these events is the Analytics retention period.

Data Collection

Developer Portal accounts are for consumers of your APIs. You can define and customize a terms and conditions statement that your users must accept before they can register to use your Developer Portal - refer to Customizing the terms and conditions statement for details. You can customize the privacy policy statement for Developer Portal, refer to Customizing the privacy policy statement for details.

Types of Data Collected

API Connect collects and stores identity information, including first and last name, and email address, for the purposes of user registration. Cloud Manager and API Manager accounts are for your employees (or designated actors). Developer Portal accounts are for your consumers of your APIs. Identity information can be collected directly from users or can be copied from LDAP registries. In situations where non-local user registries are used, only email address is copied from LDAP registry. Developer Portal user accounts can be deleted - refer to Deleting your Developer account for details. Cloud Manager and API Manager user accounts' identity information can be anonymized by users.

You can customize the privacy policy statement for Developer Portal, refer to Customizing the privacy policy statement for details.

Data Storage

Identity data is stored in API Connect local data store. There is no direct access available to this data store.

API Analytics leverages Elasticsearch real-time distributed search and analytics engine for storage of logged data. There is no direct access available to this data store.

Identity data is included in backups, refer to Creating a backup of an API Connect configuration for details on taking backups. It is your responsibility to protect and discard backups.

Data Access

Identity information can be viewed by administrators that you define.

Analytics information can be accessed via a variety of means. Refer to Viewing and exporting analytics and API event data and Analytics in the Developer Portal for details.

Analytics information can be offloaded to third party systems. Refer to Specifying the cloud settings for details.

Technical information related to service use is collected in logs. The logs can be downloaded from the system, refer to Gathering postmortem information about your servers for details. These logs are managed by API Connect and rollover based on size and time criteria. Downloaded logs can be provided to IBM Support for use in problem determination.

API Connect can generate audit events. Refer to Audit event fields for details. Audit events can be offloaded to third party systems, refer to Configuring the offload of analytics event data to third-party systems for details. Administrators can view audit events as notifications - refer to Viewing information about activities for details. Audit events can be emitted as syslog messages, refer to Syslog auditing and your cloud for details.

API Connect logs collect technical information related to service use including tracing of service execution and sequences of operation use. Other technical data related to service use includes data values that define the mechanisms used to connect to the service, for example, IP address. This data is collected for debugging and service improvement. Service diagnostics are collected during unexpected or error situations to allow the offering team to correct the situation and hopefully prevent it from occurring in the future. There is no direct access available to these logs. The logs can be downloaded from the system, refer to Gathering postmortem information about your servers for details. These logs are managed by API Connect and rollover based on size and time criteria.

Data Processing

Data collected by API Connect or to gateways via API invocations is protected by TLS in transit. Refer to TLS profiles for details.

Data is stored in API Connect local database on the API Connect appliances. There is no direct access available to this data. This data is encrypted by default in IBM API Connect Version 5.0 - refer to Disk encryption for details.

Cloud Manager and API Manager administrators (defined by you) have read access to identity data.

Data Deletion

Right to Erasure
Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors - without undue delay - under a set of circumstances.
Data Deletion characteristics

Users can delete Developer Portal user accounts - refer to Deleting your Developer account for details. Cloud Manager and API Manager user account identity data can be anonymized by the users thus deleting users association to the account data.

Technical information related to service use collected in logs is rolled over based on size and time criteria.

To disable API Analytics, refer to Enabling or disabling access to analytics event data in API Connect. API Analytics data retention period is configurable - refer to Specifying the cloud settings for details. IBM Support personnel can delete API Analytics data, this capability is only available through screen sharing with your authorized personnel. Analytics information can be offloaded to other systems - refer to Specifying the cloud settings and Syslog auditing and your cloud for details. You are responsible for protection and discarding of offloaded data.

Identity information for accounts is included in system backups. You manage the deletion of system backups.

Data Monitoring

Customers should regularly test, assess, and evaluate the effectiveness of their technical and organizational measures to comply with GDPR. These measures should include ongoing privacy assessments, threat modeling, centralized security logging and monitoring among others.

API Connect can generate audit events. An audit event is logged from each management node when there are changes to the API lifecycle or to the organization. For example, publishing a product or creating an organization would trigger this event. The audit event record contains information about the changes to the API lifecycle or organization. Refer to Audit event fields for details. Audit events can be offloaded to a third party system, refer to Configuring destination targets for API Connect analytics data for more information. Audit events can be emitted as syslog messages - refer to Syslog auditing and your cloud for details.

Capability for Restricting Use of Personal Data

Users of the API Manager UI can publish Products and APIs to the Developer Portal for Application Developers to access and use. Refer to Developer Portal: discover and use APIs to learn about Developer Portal. Developer Portal accounts are for consumers of your APIs. You can define and customize a terms and conditions statement that your users must accept before they can register to use your Developer Portal - refer to Customizing the terms and conditions statement for details. You can customize the privacy policy statement for Developer Portal, refer to Customizing the privacy policy statement for details.

Developer Portal users can modify their own account information, and delete their account.