IBM Datacap considerations for GDPR readiness

Information about features of IBM® Datacap that you can configure, and aspects of the product's use that you can consider to help your organization with General Data Protection Regulation (GDPR) readiness.

For PID(s): 5725-C15

Notice:

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Datacap that you can configure, and aspects of the product’s use that you can consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, which include the European Union General Data Protection Regulation. Clients are solely responsible for obtaining the advice of competent legal counsel to identify and interpret any relevant laws and regulations that might affect the clients’ business. Actions to comply with such laws and regulations are necessary to pursue.

The products, services, and other capabilities that are described are not suitable for all client situations and might restrict availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products ensure that clients are in compliance with any law or regulation.

Table of contents

  1. GDPR
  2. Product Configuration for GDPR
  3. Data Life Cycle
  4. Data Collection
  5. Data Storage
  6. Data Access
  7. Data Processing
  8. Data Deletion
  9. Data Monitoring
  10. Responding to Data Subject Rights

1. GDPR

General Data Protection Regulation (GDPR) was adopted by the European Union and applies from 25 May 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

Read more about GDPR:

2. Product configuration - considerations for GDPR readiness

Offering Configuration

The following sections provide considerations for configuring IBM Datacap to help your organization with GDPR readiness.

Terminology Note:
  • In this document, the term "Product" refers to IBM Datacap v9.1 and above.
  • The term "content" refers to information stored in the product. It generically covers the content (that is documents, or any other type of objects such as audio, video) and the metadata about the content stored in the product.
Audience for this document:
  • This document is for the administrator of the product who is responsible for installation, configuration, and day to day administration of the product.
  • For more information about deployment guidance of underlying software prerequisites that come bundled with the product such as DB2 Enterprise Server Edition, WebSphere Application Server, IBM Content Navigator, IBM System Dashboard for Enterprise Content Management, see the deployment guidance of respective products.

Configuration to support data handling requirements

The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This action requires the data to be secured against loss through system failure and also through unauthorized access or through theft of computer equipment or storage media.

Configuring product for GDPR

Key consideration for deploying the product in GDPR environment is to configure the product for
  • Data Security in Transit: To ensure all transfer of content into the product is over secure communication channel. See configuring transport layer security. https://www.ibm.com/support/knowledgecenter/en/SSZRWV_9.1.4/com.ibm.dc.install.doc/dcdws102.htm
  • Data Security in Storage: To ensure that the content is encrypted in storage to guard against unauthorized access to artifacts. Persons who are not intended or authorized users of the product, might try to gain access to content by directly accessing the storage component (that is an underlying database or file system). To encrypt metadata, use the native encryption capability of underlying database (DB2, Oracle, or MSSQL). Alternatively, especially for image content, and metadata that is saved in the file system as they are processed by the Datacap server, you can use whole disk encryption technology from IBM or third parties to encrypt everything at rest, content, and metadata, while it is not apparent to applications, and in particular, to the Datacap server and communication channels to and from storage.
  • Use by intended users only: This is to ensure that the product can be used only by persons who are given access to the product.
  • Authorized access by intended users: This action is to ensure that intended users are accessing only that data in the Product for which the business requires them to have access to and are granted privilege in the product. See Managing user access. https://www.ibm.com/support/knowledgecenter/en/SSZRWV_9.1.4/com.ibm.dc.install.doc/dc_plan.htm
  • Data retention: To ensure that artifacts are stored in the product, while there is a business need or as required by applicable regulatory requirements.
  • Data retention/deletion/expiry: Data in Datacap is transitory in nature. To ensure that artifacts are stored in the product, while there is a business need or as required by applicable regulatory requirements, you can create a Maintenance Manager ruleset to periodically purge old batches from the batches folder of the application. The ruleset can also remove the corresponding records from the Engine database of the application. https://www.ibm.com/support/knowledgecenter/en/SSZRWV_9.1.4/com.ibm.dc.develop.doc/dcdev471.htm

3. Data Life Cycle

GDPR requires that personal data is:
  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit, and legitimate purposes.
  • Adequate, relevant, and limited to what is necessary.
  • Accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.
  • Kept in a form, which permits identification of the data subject for no longer than necessary.
Determine the purpose for obtaining, processing and/or storing the data:
  • Contractual obligation
  • Legitimate basis for processing

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these reasons must apply whenever you process personal data:
  1. Consent: the individual gives clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they required that you take specific steps before you enter a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to do a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests. (This reason cannot apply if you are a public authority processing data to do your official tasks.)
Explicit requirements:
  1. Ensure that the appropriate consent is in place - contract, service, explicit Data Subject consent
  2. Understand where the data resides in the application or solution
  3. Ensure that the data is secured through:
    • Encryption,
    • Access control,
    • Additional controls
  4. Ensure that the retention period of this data is clearly defined
  5. Ensure that the data is deleted at the end of the retention period
  6. Ensure all the Data Subject rights can be fulfilled:
    • Higher standards for privacy policies and statements and for obtaining consent
    • Easier access to personal data by a data subject
    • Enhanced right to request the erasure of their personal data
    • Right to transfer personal data to another organization (portability)
    • Right to object to processing now explicitly includes profiling

Product considerations:

Personal data used by the product: For each intended user of the product, it is required to set up user account by creating user IDs, passwords, and privilege sets to allow users access to Product. After the user account is set up, the product uses that to authenticate the user. It determines the type of data the user has access to, and determines which operations the user is authorized to use on the data. After individual user IDs are defined, the product administrator can organize them by grouping them with other user IDs with similar access needs or similar job requirements. See Managing user access. https://www.ibm.com/support/knowledgecenter/en/SSZRWV_9.1.4/com.ibm.dc.install.doc/dc_plan.htm

For GDPR, it is highly recommended to configure the product with LDAP enterprise directory server and import user and group definitions from LDAP directory server. LDAP supports the management of user IDs and passwords at an enterprise level instead of managing this data in the product. Many of these user IDs share access privileges to data. Instead of creating or importing one user ID at a time, you can import user IDs from existing directory and assign access privileges to several usersIDs at a time.

Note: Personal data for the purposes of this document is the personal data that is gathered and used by the product. It does not include any data that users of the product might store themselves by way of storing any content (documents, and so on) which might contain personal data about themselves or anyone else. The enterprise is responsible for determining and controlling what personal data is stored or ingested in the content that is stored by the users into the product and through what means that users are ingesting the content into the product or accessing the content in product. As described in section "Configuring product for GDPR", the product administrators can use capabilities of the product to control access, retention, expiry, or deletion of the content stored or managed by the product.

Personal data used for online contact with IBM

IBM Datacap clients can submit online comments/feedback/requests to contact IBM about the product subjects in various ways, primarily:
  • Public comments area on pages of IBM Datacap documentation in the IBM Knowledge Center.
  • Public comments in the IBM Datacap space of answers.

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.

4. Data Collection

The product collects debug logs, maintains audit entries for service purposes, and is persisted to disk as described in the Data Storage section. Considerations for managing this data are given in following sections.

5. Data Storage

Data Storage: Controlling storage of personal data

Where personal data is kept (long-term use):

When LDAP is integrated which is highly recommended for GDPR, the product does not store user ID and passwords as it uses LDAP to authenticate the users. User account data is maintained by the product while the user is authorized to access the Product.

When LDAP is not integrated, User account data (user ID, passwords, privileges) is kept in the Datacap Admin Database that uses underlying database server (DB2, Oracle, MSSQL) to store the information.

When user no longer has a business need to access the product, the administrator can delete the user account.

Temporary use of personal data: the product uses and stores user ID portion of account data in audit table and debug logs.

Audit table can be accessed through the following sql statement to the Admin database for all the Datacap Application: select distinct au_Action from audit where au_action like 'Login%' AND au_action not like 'LoginError%';

Debug logs are optional and are turned on to debug technical problems that prevent users or the administrator from doing specific functions of the product. Debug logs automatically roll over after a defined number of log files fill up. New debug log entries overwrite older log entries. The administrator can delete the Debug logs anytime and can also turn off debug logging anytime. See Logging and Tracing for Datacap. https://www.ibm.com/support/knowledgecenter/en/search/enable%20logging?scope=SSZRWV_9.1.4

Replication of personal data for high availability or disaster recovery:

For business continuity purposes, the product can optionally be configured for high availability to ensure that access to the content is there even if there is a failure in one component of the product. There are different ways the product can be configured for high availability and disaster recovery. It is outside the scope of this document to provide all the different methodologies for configuring the product for high availability and disaster recovery. Most methodologies rely on replication of database and content storage that is used by the product. In such a case, there is a copy of personal data in replicated database or content storage. By virtue of replication, various copies are kept in sync, and any personal data that is stored, changed, or deleted in the primary system is automatically propagated to replica copies. With a properly configured system for high availability, the enterprise controls access to storage of replicated copies. At the product level, user access privileges transparently apply to all copies or replicas of the data.

Use of personal data in backups:

The product administrator is responsible for making backups of the product by using off the shelf commercial backup and restore products. For a product backup, personal data is copied and stored in the product. The enterprise needs to define policies that govern how long backups are kept, controlling user access to backups, process for logging access to backups, restoration from backups, and deletion of backup copies. For example, you back up daily and set a 30-day backup policy. Backups that are older than 30 days are deleted and storage is reused for new backups that are less than 30 days. If you also define a 30-day deletion policy for personal data, then product and backup data is removed after 30 days.

6. Data Access

Each user, logging in to the product, needs to have sufficient privilege to perform an operation in the product. Users privileges are assigned when new user accounts are defined for the user in the system. For more information, see Administering.

Additional Considerations
  • Product debug logs might be read by product support personnel.
  • Consider the roles of operational and support staff. Limit their access to data so they do not have wider access than their roles require.
  • If log and trace files are transmitted to IBM or other product supporters, review the files for sensitive data before transmission.
  • Product logs and data can be directly accessed from the operating system. At the operating system level, consider restricting access to the system and permissions to the product log files. Use logging and auditing capabilities to track security events that occur on the operating system.

7. Data Processing

Controlling processing of personal data

Encrypting personal data in motion when user account information is created

If you are importing user account information from LDAP, which is recommended way of creating user account in the product, set up an SSL connection between the LDAP user import Utility and LDAP server and Datacap.

After the account is created, you must protect user information in motion when the user is being authenticated by the product by using the LDAP server. Configure SSL for LDAP user authentication.

Encrypting personal data at rest

Personal data of the product user is kept in the database server (DB2, Oracle, or MSSQL). It is recommended to use native database encryption capabilities of the database server. If you use the DB2 database, see DB2 native encryption. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0061758.html. If you use the Oracle database, review Oracle database manuals for instructions for setting up encryption.

If the users of the product store personal information in the content, it is highly recommended to encrypt the content at rest. You can use whole disk encryption technology such as IBM Guardium Encryption.

Encryption key ownership

If you are using native database encryption, refer to database encryption documentation for key management and key ownership. If you are using whole disk encryption solution such as IBM Guardium Encryption, refer to its documentation for key management and key ownership.

Additional considerations

If you run custom applications on the product, the applications on the product must provide the ability for you to control how your personal data is processed by the application.

8. Data Deletion

Controlling deletion of personal data:

See section Data Storage: Controlling storage of personal data

Controlling deletion of data/content created by users:

Users of the product need to have sufficient privileges to perform any operation in the product. In addition, users who are granted sufficient privileges can delete the content that they create.

Controlling deletion of data/content created by custom applications running on Product:

It is the responsibility of applications that run on the product to provide the ability for clients to control how their personal data is processed and deleted by the application.

9. Data Monitoring

This pertains to who accesses personal data and when data is accessed. It is important to know who can access the personal data and where personal data is kept, Set up monitoring process for access to each of the data stores.

If your users are storing personal or sensitive information in documents and are storing those documents in IBM Datacap, the product provides ways to control access to stored content. Each user can perform operations that are authorized based on the privileges that are assigned to the user. Privileges for the user are assigned at the time of user account creation and can be modified by the product administrator. To monitor user activities, the product administrator can use the Datacap audit table to track users that log into the system. Additional Datacap rulesets can be run when the Batch is opened and the data is tracked in the custom logging mechanism, such as log or database.

10. Responding to Data Subject Rights

This section deals with rights of users of the products in terms of personal information that is account information that is maintained by the Product for each user. For any personal information stored by the user of the product by way of those users that ingest or store documents that contain personal information, it is the enterprise responsibility to establish appropriate procedures to handle data subject rights for any information that the enterprise users choose to store in the product.

Note: The product provides function where the product administrator has privileges to modify, delete, extract, or restrict access to any content stored in the product. The product administrator can also assign privileges to other users to modify and delete the content that is created by them or others.

For custom applications that run on the product, it is the application's responsibility to use the product's functions to manage content that is created by users of the application.