The GDPR has been adopted by the European Union’s 27 member countries (“EU”). It
establishes a stronger data protection regulatory framework for processing of personal data of
individuals, impacts IBM and IBM's client contracts, policies and procedures when handling personal
data.
GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
IBM Sterling® Order Management System provides GDPR support
through SDF service layer. The application provides a set of SDF services to process personal data.
However, it is your responsibility to handle the personal data in your application UI according to
your business needs. Additionally, if you want to view GDPR-related data in application-provided UI,
you need to customize the application-provided UI according to your business needs.
Note: Clients are responsible for ensuring their own compliance with various laws and
regulations, including the European Union General Data Protection Regulation. Clients are solely
responsible for obtaining advice of competent legal counsel as to the identification and
interpretation of any relevant laws and regulations that may affect the clients’ business and any
actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client
situations and may have restricted availability. IBM does not provide legal, accounting or auditing
advice or represent or warrant that its services or products will ensure that clients follow any law
or regulation.
IBM Sterling Order Management System provides SDF services to
support the processing of personal data in accordance with GDPR. Learn more about IBM's own GDPR
readiness journey and our GDPR capabilities and offerings here: https://ibm.com/gdpr.
Pseudonymisation
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data
can no longer be attributed to a specific data subject without the use of additional information,
provided that such additional information is kept separately and is subject to technical and
organizational measures to ensure that the personal data are not attributed to an identified or
identifiable natural person.
As a consequence, when your customers call up a CSR to get their information on the application
or request to forget their information or stop processing further, the Customer Service
Representative (CSR) should ask appropriate questions to ensure that the details provided by the
caller matches the customer records in the system. Questions can be related to address verification,
last ordered item, date when the last order was placed, last 4 digits of credit card, and so on.
Assumptions and limitations of GDPR implementation
-
The SDF services are called for an individual, uniquely identified in the IBM Sterling Order Management System application. It can be a guest, a registered user, or a business
organization. However, the service can be called only after a thorough verification by the Customer
Service Representative (CSR) or other means of customer relationship.
- The verification and authorization protocol for an individual is not covered as part of this
feature and is based on custom implementation.
- The deletion of the requesting individual’s personal data is done by erasing personal
identification information fields in the existing data such that IBM Sterling Order Management System still retains the remaining
fields that are required for existing statistical analysis. Therefore, the deletion applies only to
sensitive fields and the data retained with IBM Sterling Order Management System would be anonymous.
- The selective deletion or restriction of the fields from personal data must be carried out only
if the requesting authorized individual does not have any business data in need that depends on the
personal data. Therefore, the deletion or restriction SDF services must be called only if the
authorized individual does not have any business data in need required for orders or opportunities.
GDPR services find business data in need based on the following criteria:
- Orders associated with the personal data, which are not complete (i.e. OrderComplete flag is not
equal to Y), continue as required business data in need.
- Opportunities associated with the personal data continue as business data in need.
- After deletion of customer’s personal data, if the same customer needs to return one of his or
her orders, the customer’s email address and phone number are no longer available in the system to
identify his or her orders. In such a case, customer should provide the actual order details.
However, the customer record deletion does not occur when there is at least one order in
non-complete status.
- The non-personal information captured either during customer’s registration in the system or
with customer’s order will be purged as per the Enterprise policy. This would not be impacted by the
GDPR guidelines.
- Before restricting personal data for a registered customer, it is recommended that the
manageCustomer API is executed to change the customer status to ‘Inactive’. This
ensures that new orders are not created for the customer with restricted data.
- For an unregistered customer with restricted personal data, a new order can be created by
capturing the customer information again so no removal of restriction is required for an
unregistered customer .
- IBM provides back-end services to support your GDPR activities. You can invoke these services
for relevant GDPR use cases through any external UI or portal for applications that are built on IBM Sterling Order Management System.
Recommended guidelines
Recommended guidelines to support GDPR.
-
When debug or verbose trace is enabled, the API input and output XMLs are sent to the log files.
Besides that, an API adds sufficient information to the log files so that the generated log can be
used for analysis and solving problems. The input and output of certain APIs have sensitive personal
data. Similarly, the troubleshooting content added to the log file also may have the sensitive
personal data. These log files are outside the purview of the GDPR services mentioned above.
Therefore, it is recommended that you mask such sensitive personal data during logging itself to
avoid storing sensitive information in any files.
Learn more...Note: It is recommended that all the personal
data or sensitive personal data that is included in the extended fields or tables is
masked.
- As per the GDPR requirement, it is recommended that the person info data is regularly
purged.
- Any audit and access monitoring requirements that need to be maintained around customer
information should be implemented on the
AFTER_CREATE_CUSTOMER
,
AFTER_MODIFY_CUSTOMER
and AFTER_DELETE_CUSTOMER
events so that the
data is stored in a secure and encrypted repository which is compliant with the client's privacy
office.
- Sterling™ Order Management System UI framework allows reorganization of forms and panels with
access controls for individual panels. Client's wishing to enforce auditable access trails are
advised to use this framework along with HTML UI events to preserve access information in a secure
and encrypted repository which is compliant with the client's privacy office.
- Customers should not include any personal data in the customization packages.
Sample use case
Adriana is from Genoa, Italy. She is a fan of Toga products and has bought things from their
store. She wants to know what information Toga is storing about her. She walks into a Toga store and
tells a that she wants this information.
Here are the steps which a CSR needs to be follow to retrieve Adriana's data for GDPR:
- She walks into a Toga store and tells a CSR that she wants this information.
- CSR asks her for basic details such as first name, last name or customer ID, to validate her in
the system.
- The application passes this information to the APIs,
getPersonInfoList
or
getCutomerList
, to find the matching customer records existing in the system.
- The CSR then asks her for more details such as phone number, email address, or the last order
placed to validate her identity. This step is important to ensure that she has rights to access the
data.
- She provides necessary data for validation. Once the CSR has confirmed that she is the owner of
the data, the CSR passes the information gathered in Step 2 to the
GDPR_Get_Data
service to get the appropriate personal data and dependent business data from the system.