General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) has been adopted by the European Union (EU) and European Economic Area (EEA). It establishes stronger data protection regulatory frameworks for processing of personal data of EU Data subjects, across customers and employees. It further can affect any client contracts, policies and procedures around handling personal data.
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification scenarios
GDPR streamlines and strengthens the data protection guidelines for EU data subjects. With its enforcement, GDPR aims to regulate data handling and processing, which includes collection, storage, transfer, and use of personal data.
For an on-premise application that is used to process data, the licensee of the application or the data controller must implement technical and organizational measures to demonstrate compliance with the GDPR principles. A data protection impact assessment can help assess personal data collection, processing, storage, and destruction measures.
Some of the points that you might need to assess and/or act upon are:
- Privacy requirements
- Assess your data privacy provisions, assets, and systems.
- Identify and classify personal data assets and affected systems.
- Implement privacy-enhancing controls, such as encryption, tokenization, and dynamic masking, where necessary.
- Control and monitor personal data access.
- Security requirements
- Assess your security practices, identify gaps, and upgrade security controls wherever required.
- Implement security controls to mitigate access risks and security vulnerabilities.
Using Global Mailbox to support GDPR
Global Mailbox provides various mechanisms and monitors the personal data that you process to help support the security requirements of the GDPR standards.
When you use Global Mailbox to process personal data, you should be certain to leverage the security and privacy measures and access controls that Global Mailbox provides. For more information about the security features in Global Mailbox, see Security options.
As a Sterling B2B Integrator user or administrator, you are responsible for ensuring data confidentiality and integrity, and in preventing unauthorized access.
As an application user (end user), you should ensure that you take the following security measures:
- Follow all standard security practices, including securing your passwords and laptop.
- Do not share security credentials, such as your passwords or user keys.
As an administrator, you should ensure that you take the following precautions:
- Determine the roles for authorized users such as Application Administrators, Application users, and Mailbox Administrators.
- Grant privileges sparingly and only to the extent that is necessary for the job role.
- Ensure that the database, file system, and communication channels are secure.
- Determine the user's access to the database and application and review this access periodically.
- Revoke access when the user is not a valid authorized user anymore.
- Ensure that the external media storage (Storage Area Network (SAN) and Network Attached Storage (NAS)) is secure.
- Apply patches on database, operating system, and application to help with security standards.
- Examine the IBM security bulletins and release notes periodically and take necessary actions to apply the security fixes, if any.
Processing data by using Sterling B2B Integrator
Processing of data by using Global Mailbox involves collection, storage, transfer, and deletion of data.
Personal data that Global Mailbox processes are generally name, user name, password, address, contact number, email address, and in some cases, bank account number. Under GDPR, IP address, VAT ID, and any other standard ID are also considered to be personal data.
Accessing and modifying data
Accessing and modifying data includes the following points:
- Exposure of data: Personal data is exposed to users in the UI, log files, and configuration files in Global Mailbox.
- Access permissions: Global Mailbox has fine-grained permissions at the mailbox level. Ensure that mailbox permissions are set appropriately.
- Data in Global Mailbox: Uploaded files might hold personal data that can be viewed, modified, or deleted from the UI by users with the required permissions.
- Exporting data: Data can be exported in the form of Export Files. Any user who can access data can take this data outside the Global Mailbox system. Data that is taken outside of the Global Mailbox file system must be handled securely. Hence, it is of utmost importance that the Global Mailbox administrator takes due care when granting permissions to users.
Erasing data includes the following points:
- Deleting resources via UI: Personal data in a resource is deleted when the resource is deleted. You can delete the Sterling B2B Integrator resources from the respective UI menus. Refer to the respective resource documentation for more details about deleting it.
- Deleting data in log files: Upon deletion of data, Global Mailbox leaves no residual data in the database or file system. However, log files might contain traces of Trading Partner information. This information can be cleaned up from the file system.
Data security should encompass the following points:
- System information security: The master passphrase, which is created during Sterling B2B Integrator installation and is enabled by default, it is used to encrypt sensitive properties that are stored in the Global Mailbox database. For more information about system passphrase, see Changing the master passphrase.
- Communication security: Protected communications for sharing of personal data between the components of the system are of great importance and must be taken into account while planning your implementation of Sterling B2B Integrator. For more information, see Securing communications.
- Database security: Sterling B2B Integrator uses Apache Cassandra as a repository for transactional, reference, and history data that it generates and uses. System owner or root user controls the access permissions to the database. By default, there is no authentication to access Cassandra. To enable authentication, see Enabling authentication.
- Encrypting stored data: Payload data in storage, in the file system, is not encrypted by default. Encryption, if desired, must be enabled before the system is put into service. For information about how to encrypt storage buckets, see Provisioning storage.
- Replicating stored data: Payload data is replicated between data centers using the FASP protocol. This connection is encrypted by default.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings here: GDPR at IBM.