General Data Protection Regulation (GDPR) support
The General Data Protection Regulation, or GDPR, is a European Union (EU) law that governs how organizations within and outside the EU handle the personal data of EU residents. It sets a new bar globally for privacy rights, information security, and compliance. It establishes a stronger data protection regulatory framework for processing of personal data of individuals, impacts IBM and IBM's client contracts, policies, and procedures when handling personal data. IBM believes that privacy is a fundamental right and that the GDPR is an important step in protecting and enabling the privacy rights of individuals.
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for noncompliance
- Compulsory data breach notification
IBM Sterling® Order Management System provides GDPR support through a Service Definition Framework (SDF) service layer. The application provides a set of SDF services to process personal data. However, it is your responsibility to handle the personal data in your application UI according to your business needs. Also, if you want to view GDPR-related data in the application-provided UI, you need to customize the application-provided UI according to your business needs.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients follow any law or regulation.
IBM Sterling Order Management System provides SDF services to support the processing of personal data in accordance with GDPR. Learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings here: https://ibm.com/gdpr.
Roles and responsibilities
- Data Controller
- A Data Controller determines the purposes and means of processing personal data. Customers act as the Data Controller and determine the lawful basis, retention period, and scope of processing.
- Data Processor
- A Data Processor processes personal data on behalf of the controller. IBM acts solely as a Data Processor for the Sterling™ Order Management System application and is not required to register as a Data Controller with the United Kingdom Information Commissioner’s Office (ICO) for this service.
Industry classification: Software / Cloud Computing / Information Technology Services.
Standard Industrial Classification (SIC) Code: 7372 – Prepackaged Software.
Pseudonymisation
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
As a consequence, when your customers call up a CSR to get their information on the application or request to forget their information or stop processing further, the Customer Service Representative (CSR) should ask appropriate questions to ensure that the details provided by the caller matches the customer records in the system. Questions can be related to address verification, last ordered item, date when the last order was placed, last 4 digits of credit card, and so on.
Assumptions and limitations of GDPR implementation
Recommended guidelines
Sample use case
Adriana is from Genoa, Italy. She is a fan of Toga products and has bought things from their store. She wants to know what information Toga is storing about her. She walks into a Toga store and tells a that she wants this information.
- She walks into a Toga store and tells a CSR that she wants this information.
- CSR asks her for basic details such as first name, last name or customer ID, to validate her in the system.
- The application passes this information to the APIs,
getPersonInfoListorgetCutomerList, to find the matching customer records existing in the system. - The CSR then asks her for more details such as phone number, email address, or the last order placed to validate her identity. This step is important to ensure that she has rights to access the data.
- She provides necessary data for validation. Once the CSR has confirmed that she is the owner of
the data, the CSR passes the information gathered in Step 2 to the
GDPR_Get_Dataservice to get the appropriate personal data and dependent business data from the system.
Data subject rights
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
Customers initiate and manage these requests. Sterling Order Management System provides APIs and tools to retrieve, update, export, restrict, or delete personal data to support fulfillment of these rights.
Security and infrastructure controls
- Data transfers
- Personal data is transferred continuously through secure application integrations using encrypted REST APIs and messaging systems. All data transfers occur over TLS 1.2+ encrypted channels and are processed within IBM Cloud environments.
- Access controls
- Access is limited strictly to authorized personnel using role-based access control (RBAC), least-privilege principles, and multi-factor authentication. All access to customer data is logged and auditable.
- Data residency
- Customer data is hosted in selected IBM Cloud regions. Backups and replicas remain within the same geographic boundary unless otherwise configured.
- Operational locations
- Support personnel may operate from the United States, Canada, and India.
- Personnel training
- IBM’s data protection and information security policies cover secure handling of personal data, access control, encryption, incident response, and privacy by design principles. These policies are aligned with IBM’s Security and Privacy by Design (SPbD) framework and reviewed at least annually. All personnel handling personal data receive mandatory annual privacy and security training. For more on SPbD as applied to IBM Order Management cloud services, see: https://www.ibm.com/docs/en/order-management?topic=security privacy by design spbd.
- Incident notification
- Customers are notified within 24 hours of confirmation of any security incident affecting personal data.
- Sub-processors
- IBM does not use sub-processors for Sterling Order Management System processing. IBM’s standard policy is to retain full responsibility for all processing and ensure compliance with applicable data protection laws.
- Certifications and audit support
- IBM Cloud and Sterling Order Management System maintain recognized certifications, including ISO/IEC 27001 and SOC 2 Type II. IBM supports customer or authorized third-party audits and provides relevant compliance documentation upon request. For further information, see the following link: https://www.ibm.com/docs/en/order-management?topic=compliance-soc-1-soc-2.
- Government requests
- IBM discloses customer data only when legally required and notifies customers where permitted.
Retention periods
Personal data is retained only for the retention period configured by the customer. Upon expiration, data is permanently removed from primary storage and scheduled for removal from backups.
Backup and replica deletion
Deletion requests propagate to all backups and replicas according to defined purge schedules to ensure complete removal of personal data.
Sensitive data and tracking technologies
Sterling Order Management System is not intended to process special category or sensitive personal data (such as health or biometric data). The service does not deploy cookies, pixels, or tracking technologies on end-user devices.