Considerations for GDPR Readiness

Information about features that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness.

GDPR consideration for the following offerings:
  • IBM Cloud App Management

For PID(s):

UT:17HMG

  • Notice:

    This document is intended to help you in your preparations for GDPR readiness. It provides information about features of the offerings that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

    Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.

    The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

1. GDPR

2. Product Configuration for GDPR Readiness

3. Data Collection

4. Data Life Cycle

6. Data Access

8. Data Deletion

9. Data Monitoring

10. Responding to Data Subject Rights

GDPR

General Data Protection Regulation has been adopted by the European Union (“EU”) and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for Significant financial penalties for non-compliance
  • Compulsory data breach notification

Product Configuration for GDPR Readiness

The following sections provide considerations for configuring the product to help your organization with GDPR readiness.

Data Life Cycle

The IBM Cloud App Management offering does not directly target or collect personal data. The type of data collected by the offering is primarily performance management metrics that measure the performance of some underlying operating system, or applications, such as web servers and databases.

The IBM Cloud App Management Monitoring offering provides authentication and handling of system users.

The IBM Cloud App Management offering processes the types of Personal data shown here:
  • Authentication Credentials (such as username and passwords).
  • Technically Identifiable Personal Information such as, (device IDs, usage-based identifiers, or IP address, when linked to an individual) used to identify the systems or applications being monitored as part of the normal function of this product.

Personal data used for online contact with IBM

IBM Cloud App Management clients can submit online comments/feedback/requests to contact IBM about the IBM Cloud App Management subjects in a variety of ways, primarily:

  • Public comments area on pages in the Offerings community on IBM developerWorks
  • Public comments area on pages of the offerings documentation in IBM Knowledge Center
  • Public comments in the Offerings space of dWAnswers
  • Feedback forms in the Offerings community

Typically, only the client name and email address are used to enable personal replies to the contact person, and to ensure that the use of personal data conforms to the [IBM Online Privacy Statement] (https://www.ibm.com/privacy/us/en/).

Data Collection

Types of data collected

This is not a definitive list of the types of data collected by the offerings. It is provided as an example for consideration. If you have any questions about the types of data, please contact IBM.

Data is collected by agents that connect to popular 3rd party and IBM operating systems and applications to help the end user to understand the performance level of those systems or applications. None of these target personal data, however, the following information might be present in the product as part of the monitoring process:

  • Authentication Credentials (such as username and passwords)
  • Technically Identifiable Personal Information (such as device IDs, usage -based identifiers, IP address, when linked to an individual)

Data Protection Considerations

IBM Cloud App Management resides on the IBM Cloud Private infrastructure. Cloud Private in turn utilizes the Kubernetes container system. Documentation on both platforms should be taken into account when configuring your installation with the following type of encryption:
  • Data at Rest Encryption:

    Encrypting volumes by using dm-crypt

    Note: By default your IBM Cloud App Management deployment will not have 'Data At Rest' encryption enabled. To meet GDPR and other secure computing standards you should enable this encryption.
  • Data in Motion Encryption:

    Sharing SSH keys among cluster nodes

    Note: By default, your IBM Cloud App Management deployment does not have 'Data In Motion' encryption enabled. To meet GDPR and other secure computing standards, you should enable this encryption. Data in Motion encryption, via IBM Cloud Private, should be utilized between the distributed IBM Cloud App Management systems. Data in Motion encryption, via 3rd party IPsec or an other vpn tunnel, should be utilized from your agent systems to the server. Both Data In Motion encryption methods should be utilized to secure data in transit.
  • IBM Cloud Private - Kubernetes Password Protection

    Managing Kubernetes Secret passwords with the IBM® Cloud Private CLI

Data Access

IBM Cloud App Management resides on the IBM Cloud Private infrastructure. Cloud Private in turn utilizes the Kubernetes container system.
Note: It is important that you secure your computing environment properly by using industry standard secure computing practices for access control and permissions. The same safeguards should be considered when assigning permissions and allowing access to the IBM Cloud App Management components and the underlying IBM Cloud Private infrastructure. Some files and underlying databases may contain sensitive information and these files should be secured in a safe manner.
Documentation on both platforms should be taken into account when configuring your installation for the following:

Data Deletion

Right to erasure

Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors without undue delay and under a set of circumstances.

Data Deletion Considerations

Data Monitoring

Monitoring logs are available at the following locations on the master node:
  • Authentication logs are saved to the /var/log/audit/identity-manager/audit.log file.
  • Authorization logs are saved to the /var/log/audit/identity-provider/audit.log file.
Within a container the monitoring log files are also accessible at these locations:
  • Authentication logs are saved to the /opt/ibm/identity-mgmt/logs/audit.log file.
  • Authorization logs are saved to the /opt/ibm/identity-provider/logs/audit.log file.
Logging and Audit Configuration Instructions
Vulnerabilty Advisor Configuration Instructions

Responding to Data Subject Rights

The IBM Cloud App Management offering does not directly target or collect personal data. It is your organization's responsibility to establish appropriate procedures to handle data subject rights for any personal data that might be collected by agents as part of the monitoring process or for configuring users or agents of the offering.