Platform considerations for GDPR readiness

Notice

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of Instana that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described are not suitable for all client situations and may have restricted availability. IBM® does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

Read more about GDPR

Product Configuration - considerations for GDPR Readiness

The following sections describe aspects of data management within Instana and provide information on capabilities to help customers with GDPR requirements.

Data Life Cycle

Instana is designed to help IT operations teams, development teams, and DevOps teams operate more efficiently. To ensure the operation of the software that they develop, modern teams need advanced application performance monitoring and observability capabilities.

Instana deals primarily with technical data, some of which might be subject to GDPR. Instana also deals with information about users who manage the deployment. This data is described throughout this document for the awareness of customers responsible for meeting GDPR requirements. This data is persisted on local or remote file systems as configuration files or in databases. Applications that integrate with Instana might deal with other forms of personal data subject to GDPR. The mechanisms that are used to protect and manage data are also available to applications that integrate with Instana. Extra mechanisms might be required to manage and protect personal data that is collected by these applications.

To best understand Instana and its data flows, you must understand how Kubernetes and Docker work. These open source components are fundamental to Instana.

Instana includes a catalog of containerized software and services from Instana in the default Instana repository list. To view a list of all the Instana charts, see IBM/charts. For considerations about GDPR for the products in the catalog, consult the documentation for those products. Some of the applications available in the catalog are open source software. It is the customer’s responsibility to determine and implement any appropriate GDPR controls for open source software. Information on these packages is included in the catalog entry.

What types of data flow through Instana platform

Instana deals with several categories of technical data that might be considered as personal data. Categories include administrator user IDs and passwords, service user IDs and passwords, IP addresses, and Kubernetes node names. Instana also deals with information about users who manage the deployment. Integrated applications might introduce other categories of personal data unknown to Instana.

Information on how this technical data is collected or created, stored, accessed, secured, logged, and deleted is described in later sections of this document.

Personal data used for online contact with IBM

Customers can submit online comments/feedback/requests to contact IBM about Instana subjects in various ways, primarily:

  • The public Instana Slack Community
  • Public comments area on pages of Instana product documentation in the IBM Documentation

Typically, only the customer name and email address are used to enable personal replies for the subject of the contact. The use of personal data conforms to the IBM Online Privacy Statement.

Data Collection

Instana does not collect any special categories of personal data. It does create and manage technical data, such as an administrator user ID and password, service user IDs and passwords, IP addresses, and Kubernetes node names, which might be considered personal data. Instana also deals with information about users who manage the offering. All such information is only accessible by the administrator.

The Instana agent supports the specification of patterns for secrets, which means that data can be redacted agent-side from the tracing data. Data that are treated as secrets do not reach the Instana SaaS for processing and, thus, are not available for analysis in the product console or retrieval by APIs. For more information, see Secrets.

Applications that run on Instana might collect personal data.

When you assess the use of Instana running containerized applications and your need to meet the requirements of GDPR, you must consider the types of personal data that is collected by the application and aspects of how that data is managed, such as:

  • How is the data protected as it flows to and from the application? Is the data encrypted in transit?
  • How is the data stored by the application? Is the data encrypted at rest?
  • How are credentials, which are used to access the application, collected and stored?
  • How are credentials, which are used by the application to access data sources, collected and stored?
  • How is data collected by the application removed as needed?

This list is not a definitive list of the types of data that is collected by Instana. It is provided as an example for consideration. If you have any questions about the types of data, contact IBM.

Types of personal data

  • Basic Personal Information (such as name, address, phone number, email)
  • Technically Identifiable Personal Information (such as device IDs, usage-based identifiers, static IP addresses - when linked to an individual).
  • Employment and Education Related Identifiable Information (such as job history, job role, performance review information, employment contract, professional education, resume, language proficiency, education level, professional association).
    Note: The Employment and Education Related Identifiable Information is collected only in Instana SaaS environment, not in on-premises environment.

Special categories of personal data

  • Instana was not designed to process any special categories of personal data.

Data storage

Instana persists technical data in stateful stores on local or remote file systems as configuration files or in databases. Consideration must be given to securing all data at rest. Instana supports encryption of data at rest in stateful stores.

Data access

Instana provides a number of groups and roles for controlling data access. The groups and roles enable differentiation between normal users and those with extra privileges.

Data Processing

In general, data that is used for authentication must be in a directory service or LDAP. Databases are provisioned during installation. Make sure to maintain them throughout product lifecycles.

Basic recommendations

  • Regularly back up data, according to your business needs and to the risk level.
  • Encrypt data backups.
  • When data is no longer used, delete the databases or archive them for future use.
  • As a data controller, provide means to satisfy data access requests for personal information or other compliance requests.

Further considerations

  • Make sure that control of access to databases is in place and effective.
  • Use strong credentials.
  • Protect the REST administration APIs with proper credentials.
  • Use HTTPS or equivalent secure communication protocols for all the connections.
  • Remove or change all default passwords.

Data Deletion

Article 17 of the GDPR states that data subjects have the right to request that their personal data is removed from the systems of controllers and processors, without undue delay. Implement appropriate controls and tools to satisfy this right.

Instana does not require any special method for data deletion.

Data that reflects personally identifiable information (PII) can be in all stages of the data processing pipeline. Data deletion must include all these stages. Administrators can use Instana features to remove user data.

Data monitoring

Regularly test, assess, and evaluate the effectiveness of your technical and organizational measures to comply with GDPR. These measures should include ongoing privacy assessments, threat modeling, centralized security logging, and monitoring, among others.

Capability for Restricting Use of Personal Data

Using the facilities summarized in this document, Instana enables a user to restrict usage of any technical data that is considered personal data.

Under GDPR, users have rights to access, modify, and restrict processing. Refer to other sections of this document to manage the following controls:

  • Right to access
    • Administrators can use Instana features to provide individuals access to their data.
    • Administrators can use Instana features to provide individuals information about what data Instana platform holds about the individual.
  • Right to modify
    • Administrators can use Instana features to allow an individual to modify or correct their data.
    • Administrators can use Instana features to correct an individual's data for them.
  • Right to restrict processing
    • Administrators can use Instana features to stop processing an individual's data.