IBM eDiscovery Manager considerations for GDPR readiness

Information about IBM® eDiscovery Manager considerations for General Data Protection Regulation (GDPR) readiness.

For PID(s): 5724-V36

Notice:

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM eDiscovery Manager that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR requirements. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

  1. GDPR Overview
  2. Product Configuration for GDPR
  3. Data Life Cycle
  4. Data Collection
  5. Data Storage
  6. Data Access
  7. Data Processing
  8. Data Deletion
  9. Data Monitoring
  10. Responding to Data Subject Rights

1. GDPR Overview

GDPR stands for General Data Protection Regulation. GDPR has been adopted by the European Union and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for companies and organizations handling personal data
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

Read more about GDPR:

2. Product Configuration for GDPR - Considerations for GDPR Readiness

Offering Configuration

The following sections provide considerations for configuring IBM eDiscovery Manager to help your organization with GDPR requirements.

Terminology Note:
  • In this document, the term "product" refers to IBM eDiscovery Manager (eDM).
  • The term "content" refers to information stored in the product. It generically covers the content (that is, documents or any other type of objects, such as audio, video) as well as the metadata about the content stored in the product.
Audience for this document:
  • This document is for administrator of the product who is responsible for installation, configuration, and day-to-day administration of the product.
  • For deployment guidance of underlying software prerequisites or that those come bundled with the product, such as WebSphere® Application Server, IBM Content Navigator, IBM FileNet® Content Manager, IBM Content Manager, or Atlas eDiscovery Policy Syndication Framework, please refer to deployment guidance of respective products.

Configuration to support data handling requirements

The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data to be secured against loss through system failure, and also through unauthorized access or via theft of computer equipment or storage media.

Configuring Product for GDPR

Key consideration for deploying Product in GDPR environment is to configure Product for:
  • Data Security in Transit: This is to ensure all transfer of content into or out of the product is over secure communication channel.
  • Data Security in Storage: This is to ensure content is protected against unauthorized access to artifacts by those who are not intended/authorized users of product and may try to gain access to content by directly accessing the storage component (that is, underlying file system). Alternatively, you may use whole disk encryption technology to encrypt everything - content and metadata.
  • Use by intended users only: This is to ensure Product can only be used by those who have been given access to the Product.
  • Authorized access by intended users: This is to ensure intended users are accessing only that data in the Product for which the business requires them to have access to and have been granted privilege in the Product. See Configuring user security.
  • Data retention: This is to ensure artifacts are stored in the Product only as long as there is a business need or as long as required by applicable regulatory requirements.
  • Data deletion/expiry: This is to ensure content can be deleted by authorized users or product administrators when it is no longer needed or its retention period is expired and is not required to be held for any legal reason.

3. Data Life Cycle

GDPR requires that personal data is:
  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit, and legitimate purposes.
  • Adequate, relevant, and limited to what is necessary.
  • Accurate, and where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.
  • Kept in a form which permits identification of the data subject for no longer than necessary.
Determine the purpose for obtaining, processing and/or storing the data:
  • Contractual obligation
  • Legitimate basis for processing

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
  • Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
  • Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: The processing is necessary to protect someone’s life.
  • Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Explicit requirements:
  • Ensure the appropriate consent is in place - contract, service, explicit Data Subject consent
  • Understand where the data resides in the application/solution
  • Ensure the data is secured through:
    • encryption
    • access control
    • additional controls
  • Ensure the retention period of this data is clearly defined
  • Ensure the data is deleted at the end of the retention period
  • Ensure all the Data Subject rights can be fulfilled:
    • Higher standards for privacy policies and statements and for obtaining consent
    • Easier access to personal data by a data subject
    • Enhanced right to request the erasure of their personal data
    • Right to transfer personal data to another organization (portability)
    • Right to object to processing now explicitly includes profiling

Product considerations:

eDM operates on content in one or more content server, that is, either IBM Content Manager 8 or IBM FileNet Content Manager. eDM also authenticates against the primary content server. See section Configuring security in Knowledge Center.

As a consequence, eDM does not persist any personal data. Even search results are stored in the content server.

Note: Personal data for the purposes of this document is the personal data gathered and used by the Product. It does not include any data that users of Product may store themselves by way of storing any content (documents, etc.) which may contain personal data about themselves or anyone else. Enterprise is responsible for determining and controlling what personal data is stored or ingested in the content stored by the users into the Product and through what means users are ingesting content into the Product or accessing the content in Product. As described in section Configuring Product for GDPR, Product administrators may use capabilities of the Product to control access, retention, expiry/deletion of the content stored or managed by the Product.

Personal data used for online contact with IBM

eDM clients can submit online comments/feedback/requests to contact IBM about product subjects in a variety of ways, primarily in public comments area on pages of Product documentation in IBM Knowledge Center.

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.

4. Data Collection

The product collects debug logs and audit logs for service purposes, and are persisted to disk as described in Data Storage section. Considerations for managing this data are given in following sections.

5. Data Storage

Where personal data is kept:

User account data (userID, passwords, and privileges) are kept in the user database of the primary content server, that is, either IBM Content Manager 8 or IBM FileNet Content Manager. If the primary content server uses LDAP, then the user account data is stored there.

The content on which eDM operates persists solely in the connected content server. Even search results generated by eDM are stored there.

Temporary use of personal data: Use of personal data in audit logs and debug logs

Product uses and stores UserID portion of account data in audit logs and debug logs. Audit logging is optional and is used to record who accessed what document(s) in the system and when. Enterprise policy determines whether to turn on audit logging and how long to keep audit logs and when to delete audit logs. See section Configuring logging.

Debug logs are optional and is turned on to debug technical problem that is preventing users or administrator from performing some specific function of the product. Debug logs automatically roll over after defined number of log files fill up. New debug log entries then overwrite older log entries. Administrator can delete the debug logs anytime and can also turn off debug logging anytime.

6. Data Access

Each user logging into the Product needs to have sufficient privilege to perform an operation in the product. Users privileges are assigned to users through roles while defining new user account for the user in the system. See Configuring user roles.

Additional Considerations
  • Product debug logs might be read by product support personnel.
  • Consider the roles of operational and support staff. Limit their access to data so they do not have wider access than their roles require.
  • If transmitting log and trace files to IBM or other product supporters, consider sanitizing them for sensitive data prior to transmission.
  • At the operating system level, consider restricting access to the system and permissions to product log files. Consider using operating system level logging and auditing capabilities to track security events that occur on the operating system, since product logs and data can be accessed directly from the operating system.

7. Data Processing

Controlling processing of personal data

Since eDM solely operates on content stored in a content server, it is important to leverage their transport security capabilities to protect data in transit between eDM and the content server. See section Configuring security.

8. Data Deletion

eDM operates on metadata generated from documents in the content server. Hence, the data deletion obligations focus on the search results, reports, and exports created by an eDM user.

9. Data Monitoring

Regarding logging, see section Data Storage. See also section Monitoring system status.

10. Responding to Data Subject Rights

This section deals with rights of users of the products in terms of personal information, that is, account information maintained by the product for each user. For any personal information stored by the user of the product by way of those users ingesting or storing documents containing personal information, it is the enterprise responsibility to establish appropriate procedures to handle data subject rights for any information that enterprise users choose to store in the Product.
Note: Product provides functionality whereby product administrator has privileges to modify, delete, extract, or restrict access to any content stored in the Product. Product administrator can also assign privileges to other users to modify or delete content created by them or others.