IBM eDiscovery Manager considerations for GDPR readiness
Information about IBM® eDiscovery Manager considerations for General Data Protection Regulation (GDPR) readiness.
For PID(s): 5724-V36
Notice:
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM eDiscovery Manager that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR requirements. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Table of Contents
1. GDPR Overview
GDPR stands for General Data Protection Regulation. GDPR has been adopted by the European Union and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for companies and organizations handling personal data
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Read more about GDPR:
2. Product Configuration for GDPR - Considerations for GDPR Readiness
Offering Configuration
The following sections provide considerations for configuring IBM eDiscovery Manager to help your organization with GDPR requirements.
- In this document, the term "product" refers to IBM eDiscovery Manager (eDM).
- The term "content" refers to information stored in the product. It generically covers the content (that is, documents or any other type of objects, such as audio, video) as well as the metadata about the content stored in the product.
- This document is for administrator of the product who is responsible for installation, configuration, and day-to-day administration of the product.
- For deployment guidance of underlying software prerequisites or that those come bundled with the product, such as WebSphere® Application Server, IBM Content Navigator, IBM FileNet® Content Manager, IBM Content Manager, or Atlas eDiscovery Policy Syndication Framework, please refer to deployment guidance of respective products.
Configuration to support data handling requirements
The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data to be secured against loss through system failure, and also through unauthorized access or via theft of computer equipment or storage media.
Configuring Product for GDPR
- Data Security in Transit: This is to ensure all transfer of content into or out of the product is over secure communication channel.
- Data Security in Storage: This is to ensure content is protected against unauthorized access to artifacts by those who are not intended/authorized users of product and may try to gain access to content by directly accessing the storage component (that is, underlying file system). Alternatively, you may use whole disk encryption technology to encrypt everything - content and metadata.
- Use by intended users only: This is to ensure Product can only be used by those who have been given access to the Product.
- Authorized access by intended users: This is to ensure intended users are accessing only that data in the Product for which the business requires them to have access to and have been granted privilege in the Product. See Configuring user security.
- Data retention: This is to ensure artifacts are stored in the Product only as long as there is a business need or as long as required by applicable regulatory requirements.
- Data deletion/expiry: This is to ensure content can be deleted by authorized users or product administrators when it is no longer needed or its retention period is expired and is not required to be held for any legal reason.
3. Data Life Cycle
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit, and legitimate purposes.
- Adequate, relevant, and limited to what is necessary.
- Accurate, and where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.
- Kept in a form which permits identification of the data subject for no longer than necessary.
- Contractual obligation
- Legitimate basis for processing
What are the lawful bases for processing?
- Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: The processing is necessary to protect someone’s life.
- Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
- Ensure the appropriate consent is in place - contract, service, explicit Data Subject consent
- Understand where the data resides in the application/solution
- Ensure the data is secured through:
- encryption
- access control
- additional controls
- Ensure the retention period of this data is clearly defined
- Ensure the data is deleted at the end of the retention period
- Ensure all the Data Subject rights can be fulfilled:
- Higher standards for privacy policies and statements and for obtaining consent
- Easier access to personal data by a data subject
- Enhanced right to request the erasure of their personal data
- Right to transfer personal data to another organization (portability)
- Right to object to processing now explicitly includes profiling
Product considerations:
eDM operates on content in one or more content server, that is, either IBM Content Manager 8 or IBM FileNet Content Manager. eDM also authenticates against the primary content server. See section Configuring security in Knowledge Center.
As a consequence, eDM does not persist any personal data. Even search results are stored in the content server.
Personal data used for online contact with IBM
eDM clients can submit online comments/feedback/requests to contact IBM about product subjects in a variety of ways, primarily in public comments area on pages of Product documentation in IBM Knowledge Center.
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.
4. Data Collection
The product collects debug logs and audit logs for service purposes, and are persisted to disk as described in Data Storage section. Considerations for managing this data are given in following sections.
5. Data Storage
Where personal data is kept:
User account data (userID, passwords, and privileges) are kept in the user database of the primary content server, that is, either IBM Content Manager 8 or IBM FileNet Content Manager. If the primary content server uses LDAP, then the user account data is stored there.
The content on which eDM operates persists solely in the connected content server. Even search results generated by eDM are stored there.
Temporary use of personal data: Use of personal data in audit logs and debug logs
Product uses and stores UserID portion of account data in audit logs and debug logs. Audit logging is optional and is used to record who accessed what document(s) in the system and when. Enterprise policy determines whether to turn on audit logging and how long to keep audit logs and when to delete audit logs. See section Configuring logging.
Debug logs are optional and is turned on to debug technical problem that is preventing users or administrator from performing some specific function of the product. Debug logs automatically roll over after defined number of log files fill up. New debug log entries then overwrite older log entries. Administrator can delete the debug logs anytime and can also turn off debug logging anytime.
6. Data Access
Each user logging into the Product needs to have sufficient privilege to perform an operation in the product. Users privileges are assigned to users through roles while defining new user account for the user in the system. See Configuring user roles.
- Product debug logs might be read by product support personnel.
- Consider the roles of operational and support staff. Limit their access to data so they do not have wider access than their roles require.
- If transmitting log and trace files to IBM or other product supporters, consider sanitizing them for sensitive data prior to transmission.
- At the operating system level, consider restricting access to the system and permissions to product log files. Consider using operating system level logging and auditing capabilities to track security events that occur on the operating system, since product logs and data can be accessed directly from the operating system.
7. Data Processing
Controlling processing of personal data
Since eDM solely operates on content stored in a content server, it is important to leverage their transport security capabilities to protect data in transit between eDM and the content server. See section Configuring security.
8. Data Deletion
eDM operates on metadata generated from documents in the content server. Hence, the data deletion obligations focus on the search results, reports, and exports created by an eDM user.
9. Data Monitoring
Regarding logging, see section Data Storage. See also section Monitoring system status.