General data protection regulation support (GDPR)
IBM believes privacy is a fundamental right and that the GDPR is an important step in protecting and enabling the privacy rights of individuals.
The European Union’s GDPR is adopted by the European Union’s 27 member countries (“EU”) that sets a new bar globally for privacy rights, information security, and compliance.
The GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals, impacts IBM and IBM's client contracts, policies and procedures when handling personal data.
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Sterling Order Management System Software provides GDPR support through SDF service layer. The application provides a set of SDF services to process personal data. However, it is your responsibility to handle the personal data in your application UI according to your business needs. Additionally, if you want to view GDPR-related data in application-provided UI, you need to customize the application-provided UI according to your business needs.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients follow any law or regulation.
Sterling Order Management System Software provides SDF services to support the processing of personal data in accordance with GDPR. Learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings here: https://ibm.com/gdpr.
Pseudonymisation
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
As a consequence, when your customers call up a CSR to get their information on the application or request to forget their information or stop processing further, the Customer Service Representative (CSR) should ask appropriate questions to ensure that the details provided by the caller matches the customer records in the system. Questions can be related to address verification, last ordered item, date when the last order was placed, last 4 digits of credit card, and so on.
Assumptions and limitations of GDPR implementation
Recommended guidelines
Recommended guidelines to support GDPR.- If a customer uses any API that processes personal data, it is recommended that the data is encrypted before storing in the database. This can be done in the User Exit implementation.
- Any inbound traffic going to IBM MQ server must be sent over
https
. - When debug or verbose trace is enabled, the API input and output XMLs are sent to the log files.
Besides that, an API adds sufficient information to the log files so that the generated log can be
used for analysis and solving problems. The input and output of certain APIs have sensitive personal
data. Similarly, the troubleshooting content added to the log file also may have the sensitive
personal data. These log files are outside the purview of the GDPR services mentioned above.
Therefore, it is recommended that you mask such sensitive personal data during logging itself to
avoid storing sensitive information in any files. Learn more...Note: It is recommended that all the personal data or sensitive personal data that is included in the extended fields or tables is masked.
- As per the GDPR requirement, it is recommended that the person info data is regularly purged.
- Any audit and access monitoring requirements that needs to be maintained around customer information needs to be implemented on the
AFTER_CREATE_CUSTOMER
,AFTER_MODIFY_CUSTOMER
andAFTER_DELETE_CUSTOMER
events so that the data is stored in a secure and encrypted repository which is in compliance with the client's privacy office. - Sterling Order Management System Software UI framework allows reorganization of forms and panels with access controls for individual panels. Client's wishing to enforce auditable access trails are advised to use this framework along with HTML UI events to preserve access information in a secure and encrypted repository which is compliant with the client's privacy office.
Sample use case
Adriana is from Genoa, Italy. She is a fan of Toga products and has bought things from their store. She wants to know what information Toga is storing about her. She walks into a Toga store and tells a that she wants this information.
- She walks into a Toga store and tells a CSR that she wants this information.
- CSR asks her for basic details such as first name, last name or customer ID, to validate her in the system.
- The application passes this information to the APIs,
getPersonInfoList
orgetCutomerList
, to find the matching customer records existing in the system. - The CSR then asks her for more details such as phone number, email address, or the last order placed to validate her identity. This step is important to ensure that she has rights to access the data.
- She provides necessary data for validation. Once the CSR has confirmed that she is the owner of
the data, the CSR passes the information gathered in Step 2 to the
GDPR_Get_Data
service to get the appropriate personal data and dependent business data from the system.