Platform considerations for GDPR readiness

This document is intended to help you in your preparations for General Data Protection Regulation (GDPR) readiness. It provides information about the features of the IBM Security QRadar® Suite Software that you can configure and aspects of use to consider for your organization's GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product platform can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that might affect the clients' business and any actions the clients might need to take to comply with such laws and regulations.

The products, services, and other capabilities that are described here are not suitable for all client situations and might have restricted availability. IBM® does not provide legal, accounting, or auditing advice or represent or warrant that its services or products ensure that clients are in compliance with any law or regulation.

  1. GDPR overview
  2. Data lifecycle
  3. Data collection
  4. Data storage
  5. Data access
  6. Data processing
  7. Data deletion
  8. Data monitoring
  9. Capability for restricting use of personal data

GDPR overview

The European Union ("EU") adopted GDPR and it applies from 25 May 2018.

GDPR is important because it establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for noncompliance
  • Compulsory data breach notification

For more information, see Transform your business with GDPR link to content that is hosted outside of the IBM Documentation collection

The following sections describe aspects of data management within the platform and provide information on capabilities to help clients with GDPR requirements.

Data lifecycle

The platform deals primarily with technical data, some of which might be subject to GDPR. The platform also deals with information about users who manage the deployment. This data is described throughout this document for the awareness of clients responsible for meeting GDPR requirements. This data is persisted on local or remote file systems as configuration files or in databases. Applications that integrate with the platform might deal with other forms of personal data subject to GDPR. The mechanisms that are used to protect and manage data are also available to applications that integrate with the platform. Additional mechanisms might be required to manage and protect personal data that is collected by these applications.

To best understand the platform and its data flows, you must understand how Kubernetes and Docker work. These open source components are fundamental to the platform.

The platform includes a catalog of containerized software and services from IBM in the default platform repository list. For more information, see the Cloud Pak for Security repository. For considerations regarding GDPR for the products in the catalog, consult the documentation for those products.

What types of data flow through the platform

The platform deals with several categories of technical data that might be considered as personal data, such as an administrator user ID and password, service user IDs and passwords, IP addresses, and Kubernetes node names. The platform also deal with information about users who manage the deployment. Integrated applications might introduce other categories of personal data unknown to the platform.

Information on how this technical data is collected or created, stored, accessed, secured, logged, and deleted is described in later sections of this document.

Personal data used for online contact with the platform

Clients can submit online comments/feedback/requests to contact IBM about platform subjects in various ways, primarily:

  • The public platform IBM Support and Community web pages.
  • Public comments area on pages of the platform product documentation in IBM Documentation.

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement link to content that is hosted outside of the IBM Documentation collection

Data collection

The platform does not collect any special categories of personal data. It does create and manage technical data, such as an administrator user ID and password, service user IDs and passwords, IP addresses, and Kubernetes node names, which might be considered personal data. The platform also deal with information about users who manage the offering. All such information is only accessible by the administrator.

Applications that run on the platform might collect personal data.

When you assess the use of the platform in running containerized applications and your need to meet the requirements of GDPR, you must consider the types of personal data that are collected by the application and aspects of how that data is managed, such as:

  • How is the data protected as it flows to and from the application? Is the data encrypted in transit?
  • How is the data stored by the application? Is the data encrypted at rest?
  • How are credentials that are used to access the application collected and stored?
  • How are credentials, which are used by the application to access data sources, collected and stored?
  • How is data collected by the application removed as needed?

This list is not a definitive list of the types of data that are collected by the platform. It is provided as an example for consideration. If you have any questions about the types of data, contact IBM.

Types of personal data
  • Basic Personal Information (such as name, address, phone number, email)
  • Technically Identifiable Personal Information (such as device IDs, usage-based identifiers, static IP address - when linked to an individual)
Special categories of personal data
This cloud service was not designed to process any special categories of personal data.

Data storage

The platform persists technical data in stateful stores on local or remote file systems as configuration files or in databases. Consideration must be given to securing all data at rest. The platform supports encryption of data at rest in stateful stores. For more information, see Storage requirements

Data access

The platform provides various roles for controlling data access. The roles enable differentiation between normal users and those users with extra privileges. For more information, see Installation user roles and User access, roles, and permissions.

Data processing

In general, data that is used for authentication must be in a directory service or LDAP. Make sure to maintain them throughout product lifecycles.

The following list outlines basic recommendations:
  • Regularly back up data, according to your business needs and to the risk level.
  • Encrypt data backups.
  • When data is no longer used, delete the databases or archive them for future use.
  • As a data controller, provide means to satisfy data access requests for personal information or other compliance requests.
The following list outlines some further considerations:
  • Make sure that control of access to databases is in place and effective.
  • Use strong credentials.
  • Protect the REST administration APIs with proper credentials.
  • Use HTTPS or equivalent secure communication protocols for all the connections.
  • Remove or change all default passwords.

For more information, see Configuring identity provider authentication, ../scp-core/backup-intro.html#concept_nyf_b41_ftb, and other sections of this document.

Data deletion

Article 17 of the GDPR states that data subjects have the right to request that their personal data is removed from the systems of controllers and processors, without undue delay. Implement appropriate controls and tools to satisfy this right.

Data that reflects personally identifiable information (PII) can be in all stages of the data processing pipeline. Data deletion must include all these stages.

For more information, see Managing accounts and users in System Administration, Managing accounts and users in a Provider account, and Managing users in a Standard account.

Data monitoring

Regularly test, assess, and evaluate the effectiveness of your technical and organizational measures to comply with GDPR. These measures include ongoing privacy assessments, threat modeling, centralized security logging and monitoring among others.

Capability for restricting use of personal data

Using the facilities summarized in this document, the platform enables users to restrict usage of any technical data that is considered personal data.

Under GDPR, users have rights to access, modify, and restrict processing. Refer to other sections of this document for information about how to control the following rights:

  • Right to access
    • Administrators can use the platform features to provide individuals access to their data.
    • Administrators can use the platform features to provide individuals information about what data the platform holds about the individual.
  • Right to modify
    • Administrators can use the platform features to allow an individual to modify or correct their data.
    • Administrators can use the platform features to correct an individual's data for them.
  • Right to restrict processing
    • Administrators can use the platform features to stop processing an individual's data.