News
Abstract
Data Studio Considerations for GDPR Readiness
Content
Data Studio Considerations for GDPR Readiness
For PID(s): 5724-DST, UT:30AG3
Notice:
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of Data Studio that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Table of Contents
- GDPR
- Product Configuration for GDPR
- Data Life Cycle
- Data Collection
- Data Storage
- Data Access
- Data Processing
- Data Deletion
- Data Monitoring
- Responding to Data Subject Rights
GDPR
General Data Protection Regulation (GDPR) has been adopted by the European Union (“EU”) and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Product Configuration - considerations for GDPR Readiness
The following sections provide considerations for configuring Data Studio to help your organization with GDPR readiness.
Data Life Cycle
GDPR requires that personal data is:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.
- Kept in a form which permits identification of the data subject for no longer than necessary.
Client data is the data that the client (or end users) either enter into, import to or generate from the use of the offering.
There are 3 kinds of client data that are used by Data Studio during client usage of this product.
Type 1: Information that clients input into Data Studio when set up or use Data Studio
- Connection meta data
This information includes target database IP address, database user ID and password. The data is used by Data Studio to create JDBC connection to target database for performing various functionality that are supported. This data is input by clients when they create connection profile in Data Studio. Clients can choose to create SSL connection with target databases.
- Technical data in configuration files
There are some technical information which are defined by Data Studio by default or updated by clients to let Data Studio perform in a defined way. These information include some parameters for eclipse set up options. These information are not related to specific individual.
Type 2: Information that Data Studio gets from target database when the client use the product.
After clients connects to target database by providing valid credentials in Data Studio, clients can work with database objects, application objects such as store procedure, trigger, etc. All the operations in Data Studio are translated to DDL or other executable scripts to be run against target database. The returned result will be shown up in Data Studio in appropriate format.
Type 3: Information that client choose to store by Data Studio
Client can use Data Studio to run SQL statement against target database. Clients can choose to save such statement as a script in local workspace.
The SQL result will show up in Data Studio as it is.
Data Studio has no control over what data is stored in the target database. It is clients' responsibility to enforce appropriate access control on target database and database objects containing sensitive information, to avoid illegal access to such data.
Personal data used for online contact with IBM
Data Studio clients can submit online comments/feedback/requests to contact IBM about Data Studio subjects in a variety of ways, primarily:
- Public comments area on pages in the Data Studio community on IBM developerWorks
- Public comments area on pages of Data Studio documentation in IBM Knowledge Center
- Public comments in the Data Studio space of dWAnswers
- Feedback forms in the Data Studio community
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.
Data Collection
Data Studio does not collect personal data.
Types of Data Collected
None collected
Data Storage
The following Data Storage mechanisms are used by Data Studio which users may wish to consider when assessing their GDPR readiness.
- Storage of account data
- Storage of client Data
Account Data is the data that is needed to create and maintain a client account. That data includes all the technical information related to use (TIRU).
Data Studio is a desktop application. There is no account concept in such product. Anyone has operation system privilege to start this application can use Data Studio.
Client Data
Client data is the data that the client (or end users) either enter into, import to or generate from the use of the offering.
Connection meta data Data Studio use AES to encrypt the database user password in local file system.
There is data transferred between Data Studio and target databases. Data Studio supports 3 database authentication methods to ensure only valid database user can get access to database via Data Studio.
--DB2 LDAP connections
--DB2 for Linux, UNIX, and Windows Kerberos connections
--DB2 for z/OS Kerberos connections
Details can be found in this documentation:Connecting to DB2 using external authentication
Data Access
Personal data is not collected or handled in Data Studio by itself. If clients are using Data Studio to run some SQL statement and get result from target databases, then such result may contain personal data or other sensitive data. It is target database's administrator responsibility to enforce necessary privilege control to ensure such data is only accessible to valid user.
Data Processing
- Encryption of data arriving and being sent on
Client can choose to use SSL connection to secure the data transfer between Data Studio and database.
- Encryption if it is being stored
Data Studio does not store the clear text password. All the password stored by Data Studio is encrypted using AES algorithm. There is an encryption key participate in the AES encryption algorithm. Clients can not change this encryption key.
Data Deletion
Data Studio does not handle any data that belongs to an individual. Hence this section is Not Applicable.
Data Monitoring
Data Studio does not handle any data that belongs to an individual. Hence this section is Not Applicable.
Responding to Data Subject Rights
Data Studio does not handle any data that belongs to an individual. Hence this section is Not Applicable.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22016657