Watson Explorer considerations for GDPR readiness

Notice

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Watson® Explorer that you can configure, and aspects of the product use, that you should consider to help your organization with GDPR requirements. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM® does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

1. GDPR Overview
2. Product Configuration - considerations for GDPR Readiness
3. Data Life Cycle
4. Data Storage
5. Data Access
6. Data Processing
7. Data Deletion
8. Data Monitoring
9. Responding to Data Subject Rights

GDPR Overview

GDPR

GDPR stands for General Data Protection Regulation.

GDPR has been adopted by the European Union and will apply from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

• New and enhanced rights for individuals
• Widened definition of personal data
• New obligations for companies and organisations handling personal data
• Potential for significant financial penalties for non-compliance
• Compulsory data breach notification

Read more about GDPR

• EU GDPR Information Portal
• ibm.com®/GDPR website

Product Configuration - considerations for GDPR Readiness

Offering Configuration

The following sections provide considerations for configuring IBM Watson Explorer to help your organization with GDPR requirements.

Configuration to support data handling requirements

The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data be secured against loss through system failure and also through unauthorized access or via theft of computer equipment or storage media.

It is recommended that customers have an overall high level understanding of IBM Watson Explorer high availability. Further details can be found here.

Foundational Components

High Availability and Scalability Through Distributed Indices

Analytical Components

Supported system configurations

Configuration to support Data Security

To protect data, Watson™ Explorer should be deployed in a secured environment, such as the environment protected by firewall. Moreover, you can configure multiple layers of security in IBM Watson Explorer to protect sources from unauthorized searching and restrict administrative functions to specific users. Further details can be found here.

oneWEX

Security

Foundational Components

Tutorial: Applying Access Controls to Search Results

Analytical Components

Security in IBM® Watson Explorer Content Analytics

Data Life Cycle

Watson Explorer does not decide what data is sensitive and what is not sensitive. The data to be stored in IBM Watson Explorer may or may not include personal data, which is fully depend on the customers purpose. In addition, customer have total control of how their data being handled, used or stored in Watson Explorer.

Watson Explorer handles and stores the following data.

• User ID and password
• Data for search and content analytics
• Logs

By the default, this data is saved in the directories of the server where IBM Watson Explorer is installed.

User ID and password

oneWEX

For installation, a pre-defined user ID and its password is used. This user ID is used to start Watson Explorer services. In addition, the user uses the ID and the password to sign in to the applications. The password is encrypted. After the installation, user can delete the pre-defined user ID or change the pre-defined password.

• Security

Foundational Components

For installation, a pre-defined user ID and its password is used. This user ID is used to start Watson Explorer services. In addition, the user uses the ID and the password to sign in to the applications. The password is encrypted. After the installation, user can delete the pre-defined user ID or change the pre-defined password.

• Accessing Watson Explorer Engine
• Configuring Application Builder after Installation

Analytical Components

The user specifies a user ID and its password during the installation. This user ID is used to start Watson Explorer services and to sign in the applications. The password is encrypted. After the installation, an external authentication mechanism such as LDAP can be used instead of the user ID specified during the installation.

• Security in IBM® Watson Explorer Content Analytics

Data for search and content analytics

The user ingests data to Watson Explorer and text indexes is created for search and content analytics. Personal data is not included as long as a user does not ingest any personal data.

oneWEX

The ingested data is managed as a dataset. the user ingests his own data to the dataset. Moreover, the user creates a collection from the dataset and the data is converted and stored into various text indexes. The user queries and retrieves information from the collection. When the user deletes the collection, the indexes are deleted. When the user deletes the dataset, the ingested data is deleted.

Foundational Components

The ingested data is managed as a collection. First, the user creates a collection and empty text indexes are created. Then the user ingests his own data into the collection. The data is converted and stored into various text indexes. The user queries and retrieves information from the collection. When the user deletes the collection, the indexes and the ingested data are deleted.

Analytical Components

The ingested data is managed as a collection. First, the user create a collection and empty text indexes are created. Then, the user ingests his own data to the collection. The data is converted and stored into various text indexes. The user queries and retrieves information from the collection. When the user deletes the collection, the indexes and the ingested data are deleted.

Logs

Logs record the events that occur in Watson Explorer. Further details can be found here.

oneWEX

System

Foundational Components

Reports

Analytical Components

Log files and alerts

Personal data used for online contact with IBM

Watson Explorer clients can submit online comments/feedback/requests to contact IBM about Watson Explorer subjects in a variety of ways, primarily:

• Public comments area on pages in the IBM Watson Explorer community on IBM developerWorks®
• Public comments area on pages of IBM Watson Explorer documentation in IBM Knowledge Center
• Public comments in the IBM Watson Explorer space of dWAnswers
• Feedback forms in the IBM Watson Explorer community

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.

Data Storage

Protection

Data is under access control which restricts access to authorized users. User roles for this purpose are configured in the Watson Explorer administration console. Also, user activities including log-on/log-off and creating/updating/deleting the configuration of each data collection are written to logs.

Data Access

Who can access data in Watson Explorer?

Watson Explorer provides two roles, administrator and user. The system administrator has access to the configuration of each data collection. Other users have access to the results of search/analytics process via the user interface. Both of these roles are configured in the Watson Explorer administration console. APIs provide the result of search/analytics process. Both the system administrator and registered users have an access to the results. No shared spaces are used for data sharing. Information on user activities including log-on/log-off and creating/updating/deleting the configuration of each data collection is written to logs. Only the administrator has access to the logs, and the access is controlled by the configuration in the administration console. Refer to the following documentation as for access control.

All activities of users of these two roles are recorded in the logs to track them.

oneWEX

Security

Foundational Components

Managing Users

Analytical Components

Configuring administrative roles

Data Processing

Where is the data going and who has logical & physical access?

The data is stored in the Watson Explorer installation environment. The administrator of the operating system of the installation environment has both logical and physical access to the data. Moreover, since Watson Explorer is on-premise, this depends on each customer use case. Typically a physical storage is hard disks of a server/workstation on which the operating system and Watson Explorer are running.

How can the client encrypt the data at rest?

Watson Explorer encrypts only passwords in the configuration files. Customer cannot encrypt data inside the product using his personal keys.

How can the client encrypt the data in motion?

A customer can configure the installation to make data exchange secure via https connection.

Data Deletion

Right to Erasure

Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors - without undue delay - under a set of circumstances.

Data Deletion characteristics

If a user ingests his personal data, he can delete the collection or the dataset.

Data Monitoring

How can the client monitor the processing of data?

Watson Explorer supports the monitoring from several aspects.

1. Include successful and unsuccessful logon events, privileged activities and security events.
2. A security event should be logged and investigated if a potential attempted or successful breach of access controls is detected.
3. Ensure logs contain sufficient information about the event. For example, include the type of event, when the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject/device associated with the event.
4. Retain logs on the system for at least 90 days.
5. Protect logs against unauthorized access.

For items 1, 2, 3, and 4, the documentation is provided.

oneWEX

System

Foundational Components

Reports

Analytical Components

Log files and alerts

For item 5, access to log files is managed by the user control documented below.

oneWEX

Security

Foundational Components

Managing Users

Analytical Components

Configuring administrative roles

Responding to Data Subject Rights

Will your customers be able to address Data Subject requests from their customers?

Under GDPR, users have rights to access, modify and restrict processing. The IBM Watson Explorer user can extract, modify, and delete the data stored in IBM Watson Explorer using API. The following is a list of guides.

oneWEX

Watson Explorer API

Foundational Components

Watson™ Explorer Engine API Function Reference

Analytical Components

REST APIs