Platform considerations for GDPR readiness
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Cloud Pak® for Watson AIOps that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described are not suitable for all client situations and may have restricted availability. IBM® does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Table of Contents
General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Read more about GDPR
Product Configuration - considerations for GDPR Readiness
The following sections describe aspects of data management within IBM Cloud Pak for Watson AIOps and provide information on capabilities to help customers with GDPR requirements.
Data Life Cycle
IBM Cloud Pak for Watson AIOps is an AIOps platform that deploys advanced, explainable AI across the ITOps toolchain so you can confidently assess, diagnose, and resolve incidents across mission-critical workloads.
IBM Cloud Pak for Watson AIOps deals primarily with technical data, some of which might be subject to GDPR. IBM Cloud Pak for Watson AIOps also deals with information about users who manage the deployment. This data is described throughout this document for the awareness of customers responsible for meeting GDPR requirements. This data is persisted on local or remote file systems as configuration files or in databases. Applications that integrate with IBM Cloud Pak for Watson AIOps might deal with other forms of personal data subject to GDPR. The mechanisms that are used to protect and manage data are also available to applications that integrate with IBM Cloud Pak for Watson AIOps. Extra mechanisms might be required to manage and protect personal data that is collected by these applications.
To best understand IBM Cloud Pak for Watson AIOps and its data flows, you must understand how Kubernetes and Docker work. These open source components are fundamental to IBM Cloud Pak for Watson AIOps.
IBM Cloud Pak for Watson AIOps includes a catalog of containerized software and services from IBM® in the default IBM Cloud Pak for Watson AIOps repository list. To view a list of all the IBM Cloud Pak for Watson AIOps charts, see IBM/charts . For considerations about GDPR for the products in the catalog, consult the documentation for those products. Some of the applications available in the catalog are open source software. It is the customer’s responsibility to determine and implement any appropriate GDPR controls for open source software. Information on these packages is included in the catalog entry.
What types of data flow through IBM Cloud Pak for Watson AIOps platform
IBM Cloud Pak for Watson AIOps deals with several categories of technical data that might be considered as personal data. Categories include administrator user IDs and passwords, service user IDs and passwords, IP addresses, and Kubernetes node names. IBM Cloud Pak for Watson AIOps also deals with information about users who manage the deployment. Integrated applications might introduce other categories of personal data unknown to IBM Cloud Pak for Watson AIOps.
Information on how this technical data is collected or created, stored, accessed, secured, logged, and deleted is described in later sections of this document.
Personal data used for online contact with IBM
Customers can submit online comments/feedback/requests to contact IBM about IBM Cloud Pak for Watson AIOps subjects in various ways, primarily:
- The public IBM Cloud Pak for Watson AIOps Slack Community
- Public comments area on pages of IBM Cloud Pak for Watson AIOps product documentation in the IBM Documentation
Typically, only the customer name and email address are used to enable personal replies for the subject of the contact. The use of personal data conforms to the IBM Online Privacy Statement .
IBM Cloud Pak for Watson AIOps does not collect any special categories of personal data. It does create and manage technical data, such as an administrator user ID and password, service user IDs and passwords, IP addresses, and Kubernetes node names, which might be considered personal data. IBM Cloud Pak for Watson AIOps also deals with information about users who manage the offering. All such information is only accessible by the administrator.
Applications that run on IBM Cloud Pak for Watson AIOps might collect personal data.
To assess the use of IBM Cloud Pak for Watson AIOps running containerized applications and your need to meet the requirements of GDPR, you must consider the types of personal data that the application collects and aspects of how that data is managed, such as:
- How is the data protected as it flows to and from the application? Is the data encrypted in transit?
- How is the data stored by the application? Is the data encrypted at rest?
- How are credentials, which are used to access the application, collected and stored?
- How are credentials, which are used by the application to access data sources, collected and stored?
- How is data collected by the application removed as needed?
This list is not a definitive list of the types of data collected by IBM Cloud Pak for Watson AIOps. It is provided as an example for consideration. If you have any questions about the types of data, contact IBM.
Types of personal data
- Basic Personal Information (such as name, address, phone number, email)
- Technically Identifiable Personal Information (such as device IDs, usage-based identifiers, static IP addresses - when linked to an individual).
Special categories of personal data
- IBM Cloud Pak for Watson AIOps was not designed to process any special categories of personal data.
IBM Cloud Pak for Watson AIOps persists technical data in stateful stores on local or remote file systems as configuration files or in databases. Consideration must be given to securing all data at rest. IBM Cloud Pak for Watson AIOps supports encryption of data at rest in stateful stores. For more information, see Security considerations
IBM Cloud Pak for Watson AIOps provides a number of groups and roles for controlling data access. The groups and roles enable differentiation between normal users and those with extra privileges. For more information, see Roles and permissions.
In general, data that is used for authentication must be in a directory service or LDAP. Databases are provisioned during installation. Make sure to maintain them throughout product lifecycles.
- Regularly back up data, according to your business needs and to the risk level.
- Encrypt data backups.
- When data is no longer used, delete the databases or archive them for future use.
- As a data controller, provide means to satisfy data access requests for personal information or other compliance requests.
- Make sure that control of access to databases is in place and effective.
- Use strong credentials.
- Protect the REST administration APIs with proper credentials.
- Use HTTPS or equivalent secure communication protocols for all the connections.
- Remove or change all default passwords.
Article 17 of the GDPR states that data subjects have the right to request that their personal data is removed from the systems of controllers and processors, without undue delay. Implement appropriate controls and tools to satisfy this right.
IBM Cloud Pak for Watson AIOps does not require any special method for data deletion.
Data that reflects personally identifiable information (PII) can be in all stages of the data processing pipeline. Data deletion must include all these stages. Administrators can use IBM Cloud Pak for Watson AIOps features to remove user data.
Regularly test, assess, and evaluate the effectiveness of your technical and organizational measures to comply with GDPR. These measures should include ongoing privacy assessments, threat modeling, centralized security logging, and monitoring, among others.
Capability for Restricting Use of Personal Data
Using the facilities summarized in this document, IBM Cloud Pak for Watson AIOps enables a user to restrict usage of any technical data that is considered personal data.
Under GDPR, users have rights to access, modify, and restrict processing. Refer to other sections of this document to manage the following controls:
Right to access
- Administrators can use IBM Cloud Pak for Watson AIOps features to provide individuals access to their data.
- Administrators can use IBM Cloud Pak for Watson AIOps features to provide individuals information about what data IBM Cloud Pak for Watson AIOps platform holds about the individual.
Right to modify
- Administrators can use IBM Cloud Pak for Watson AIOps features to allow an individual to modify or correct their data.
- Administrators can use IBM Cloud Pak for Watson AIOps features to correct an individual's data for them.
Right to restrict processing
- Administrators can use IBM Cloud Pak for Watson AIOps features to stop processing an individual's data.
When configuring logs from their environments to be stored or processed in IBM Cloud Pak for Watson AIOps, users are responsible for filtering out personal information or other sensitive information. For more information about filtering logs, see the following topics: