Data collection

When assessing your use InfoSphere MDM and the requirements of GDPR, you should consider the types of personal data which in your circumstances are passing through InfoSphere MDM Collaborative Edition.

While InfoSphere MDM Collaborative Edition’s core data entity is product information, personal data can potentially also be stored. If your implementation stores personal data, such as contact information for supplier organizations, consider changing this practice as part of your GDPR preparations. The data will normally arrive through Information Integration tooling or directly through the program’s APIs. This data is then persisted in InfoSphere MDM Collaborative Edition.

InfoSphere MDM operates in an environment where other elements are required, such as IBM WebSphere Application Server and IBM Db2 or Oracle database. In doing so, information flows to and from those elements. This may include user credentials.

As this information has entered via other systems required consent is assumed to be secured by those systems or business processes associated with those. Nonetheless, you may wish to consider aspects such as:
  • Was lawful consent in the upstream systems and processes established based on the criteria described in the previous section?
  • How the data arriving into InfoSphere MDM Collaborative Edition? Are all data paths known and verified? Is the data encrypted per enterprise standards?
  • Where user credentials are exchange with other applications, the inclusion of personal data should be avoided and authentication data (userids, passwords, and API keys) are collected in InfoSphere MDM Collaborative Edition. Ensure that this information is encrypted using the facilities provided with InfoSphere MDM (which leverage WebSphere Application Server functionality to do so) or consider use of external directory such as LDAP.
  • InfoSphere MDM provides many ways for you to configure and customize the use of this solution. Thus, during development data is entered in the InfoSphere MDM solution for testing purposes. Consider what data is use in this stage; in the case of personal data, avoid the use of any real world data or, if this is done, use appropriate masking and anonymization capabilities.

Types of data collected

InfoSphere MDM Collaborative Edition is aimed at the collection and refinement of product information, but it allows for the collection of a range of data. This information is stored in Catalogs and these catalogs can be used for virtually any purposes. The use of the catalogs is determined by your needs. It is possible that one or more catalogs are focused on or include personal data. You should review the catalogs and their content for such inclusions. This should be the focus of your assessment of your GDPR readiness.

As previously described the use of this personal data may be covered under lawful use and thus not require addition handling, but this needs to be established in your review. Data minimization may be an important aspect of that review (removal of any personal data that is not covered under the lawful use provisions). Any additional attributes need to be reviewed.

For more information, see the documentation about the roles and tasks for users of InfoSphere MDM Collaborative Edition.