Guidelines for GDPR readiness

IBM Decision Intelligence complies with General Data Protection Regulation (GDPR) requirements for processing the personal data of individuals.

This topic provides information about Decision Intelligence, its configured features, and aspects of its use.

Note: IBM is responsible for ensuring compliance with various laws and regulations, including the European Union General Data Protection Regulation.

Table of contents

GDPR

Why is GDPR important?

GDPR provides a stronger data protection regulatory framework for processing the personal data of individuals. GDPR brings:
  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for companies and organizations handling personal data
  • Potential for significant financial penalties for noncompliance
  • Compulsory data breach notification

Read more about GDPR

See GDPR website External link opens a new window or tab.

Product configuration - consideration for GDPR compliance

Data handling in Decision Intelligence

In Decision Intelligence, data resides in the following databases or directory services:
  • The Decision Designer stores automation projects, decision models and other decision artifacts, and user roles and permissions.
  • The decision runtime database stores deployed decision service archives in the binary format. The decision service archives are compiled decision services that can be invoked, and support the client's decisions.
  • With Decision Intelligence, user authentication can be managed by IBM® or delegated to clients that use Security Assertion Markup Language (SAML) federation. User permissions are handled through the IBM Cloud® authentication layer and saved per subscription.

Data privacy and security

IBM is responsible for the data privacy and security of the databases, configurations, LDAP, and log files in Decision Intelligence. IBM follows the secure privacy and protection guidelines.

General privacy and security rules

  • Access control is effective and enforced properly.
  • Credential strength is high and strong.
  • Default passwords are never used, and are specific to each subscription.
  • Encryption or hashing (even hashing with salt) of user passwords in LDAP is implemented.

Decision Intelligence directory service

  • Access control is effective and enforced properly.
  • Encryption or hashing of credential information, such as passwords, is implemented.
  • Backups and restoration tests are conducted regularly.

Decision Designer and decision runtime databases

  • The connection between the application and the database is secured by implementing Java™™ Database Connectivity (JDBC) over Transport Layer Security (TLS) for all data sources.
  • Access control is in place and effective.
  • Credential strength is high and strong.
  • Encryption is implemented at the database or file-system level.
  • Backups and restoration tests are conducted regularly.

Personally identifiable information (PII) in the file

Any PII or credential information that is personal or sensitive is protected by using appropriate technical and organizational measures such as encryption, confidentiality practices, and limiting access, which can include, but are not limited to logical or physical isolation of files or databases containing this data.

Security as a whole

Decision Intelligence applications run in Java on an application server within a Kubernetes environment. Security and data privacy on Decision Intelligence depends on the configuration of underlying Java and the security features that are provided by the application server. The data privacy and security in Decision Intelligence is implemented on the Java Software Development Kit (SDK) with the security features in Java and the application server.

Decision Intelligence also uses a number of third-party Java archive (JAR) files. Decision Intelligence keeps the JAR files current when there are security patches in accordance with the product release planning and capability. When a JAR file is exposed to a new vulnerability, the Decision Intelligence product team assesses the effect and might provide intermediate fixes that are based on the IBM Product Security Incident Response Team (PSIRT) process.

Third-party middleware that is used by Decision Intelligence such as PostgreSQL database and Kubernetes are updated regularly on the most recent versions and fix packs that are based on the IBM PSIRT process for assessing the effects of vulnerabilities.

Data lifecycle

The data lifecycle of Decision Intelligence corresponds to the lifecycle of automation projects:
  • IBM provisions Decision Intelligence subscriptions. This work includes the middleware installation and configuration as well as the database integration, and the Decision Intelligence product configuration to provision a tenant for the client.
  • Administrative users invite contributors to the tenant.
  • Information on users and roles is automatically imported into Decision Designer and decision runtime.
  • Users develop decision services in Decision Designer.
  • Users collaborate to build decision artifacts. Automation projects are created with the data that is natively protected.
  • Decision service archives are deployed to the decision runtime for use with client applications.
  • Integrators invoke decision services by passing them as a payload.
  • Execution traces are stored in cloud native components for security audits and troubleshooting.
  • The projects are decommissioned.
  • Data is backed up and securely deleted from the disk.

Data collection

In general, data that is used for basic authentication is provided by the client's directory service or LDAP. This data is required when the client uses Decision Intelligence. Authentication information is integrated by the IBM Cloud Authentication layer when the Decision Intelligence applications are set up. Authentication information is managed outside Decision Intelligence, and any changes are synchronized with Decision Intelligence.

The databases for Decision Intelligence are provisioned by IBM for their clients. Decision Intelligence stores automation projects and decision services in these databases. The databases evolve with the authoring of automation projects and their deployments as decision services:
  • The databases are maintained throughout the lifecycle of the product use of Decision Intelligence.
  • Data is backed up daily based on the client's business needs and risk level.
  • When Decision Intelligence is no longer used, the tenant data that is contained in these databases are securely deleted or backed up for possible future use. IBM is responsible for deleting and backing up the databases.
  • As a data controller, IBM provides the means to satisfy data access requests for personal information or other compliance requests.

Decision Intelligence requires basic personal data for authentication in its applications.

In Decision Designer, certain user information is collected, including:
  • Username
  • User ID (email address)
  • User photo (optional)
  • User role in Decision Designer and assigned permissions

User activities can be tracked during the rule authoring and governance phases.

Data storage

The databases are protected by using appropriate security controls. These controls include, but are not limited to, the following:
  • Encryption at rest, with keys stored separately in a secure location with a key management tool. The encryption is done at the database or file-system level.
  • Access controls to the databases.
  • IBM infrastructure and security topology apply:
    • Tracking and logging of user activities
    • A security event management (SIEM) system to monitor the connections and security events
  • Encryption of the data backups

Data access

IBM implements protective measures concerning data access.
  • Access control to the databases is in place and effective.
  • Decision Intelligence provides application programming interfaces (API) as representational state transfer (REST) to access project data and runtime decision services. IBM implements certain protections, including:
    • Hypertext Transfer Protocol Secure (HTTPS) for all the connections
    • Basic authentication or other authentication methods
    • Proper authorization to limit access by role to API

Data processing

When decision service archives are deployed, a new endpoint for each decision service becomes available. The client invokes a service by passing a payload to obtain decisions.

IBM implements the following security guidelines when invoking the REST APIs with Decision Intelligence:
  • HTTPS with secure ciphers.
  • Protection to secure infrastructure against DOS attacks.
The client implements the following security guidelines when invoking the REST APIs with Decision Intelligence:
  • Properly sanitizes the input payload.
  • Carefully manipulates the output from Decision Intelligence, although it has been sanitized by Decision Intelligence.

Data deletion

Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors, without undue delay, under a set of circumstances.

IBM implements appropriate controls and tools to satisfy the right to erasure.

Decision Intelligence does not require any special method for data deletion. IBM is responsible for implementing appropriate methods for its storage media to securely delete data, which includes media "zeroization," the complete reformatting of storage media, if necessary. IBM is also responsible for deleting data. However, developers are responsible for deleting data on their computers, for example, those users who work in Decision Designer.

Data monitoring

IBM regularly tests, assess, and evaluates the effectiveness of its technical and organizational measures to comply with GDPR. These measures include ongoing privacy assessments, threat modeling, centralized security logging, and monitoring.

Responding to data subject rights

The personal data that is stored and processed by Decision Intelligence falls under the following categories:
  • Basic personal data such as names, usernames, and passwords
  • Technically identifiable personal information such as Internet Protocol (IP) addresses and hostnames to which user activity can potentially be linked.
  • Personal data that is stored in the text of the rules. As a rule author, the client controls the rules that they write.
This data is essential to the operation of an effective decision system. IBM implements methods to respond to the following requests:
  • Delete data
  • Correct data
  • Modify data
  • Extract specific data for export to another system
  • Restrict the use of the data within the overall system