IBM BPM on Cloud and GDPR readiness

The General Data Protection Regulation (GDPR) applies not only to organizations that are located in the European Union (EU), but also to organizations that are located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects residing in the EU, regardless of the organization's location. For more information about GDPR, see IBM Security.

Learn how you can ensure that your IBM® Business Process Manager on Cloud environment is GDPR ready.

Deleting a user's personal data

In accordance with the General Data Protection Regulation (GDPR), EU data subjects have a right to be forgotten, for example, when they leave the company. To comply with this requirement, you must erase personal data that is no longer required for the reasons for which it was collected.

Personal data is stored in both the IBM BPM on Cloud user management platform and in each of the operating environments that a user has access to. For more information, see Managing IBM BPM on Cloud accounts. Account administrators can remove users and their personal data by using the User Management option in the IBM BPM on Cloud portal. In addition, REST APIs are also provided for user deletion. For more information, see and .

Developing GDPR-ready process applications

Process applications that run in your IBM BPM on Cloud environment might also need to handle personal data. When you develop a process application, consider where personal data is stored, how it is retrieved, where it is used, and how it can be deleted. You must also secure and restrict access to applications that handle sensitive data. For guidance on developing GDPR-ready process applications, see Developing GDPR-ready applications in the IBM Business Process Manager documentation.