GDPR Considerations for IBM Connections

GDPR Considerations for IBM Connections

Since we live in a global world, where things are connected more than we would like to admit sometimes, it was only natural that the relationships that are created must be regulated in a way.

GDPR tries to do just that when referring to personal data confidentiality. If you process personal data for your clients and have business in the EU, this affects you and you should pay attention since the fines for non-compliance are quite hefty. Here you can learn more about it on a general level.

To summarize, GDPR reffers to:

  • Data subject
  • Personal data
  • Controller
  • Processor
  • Consent
  • Lawfulness of processing
  • Safe processing

What do you need to keep in mind if you are a controller or processor?

  • Allow only lawful personal data processing
  • Inform data subjects about processing
  • Data protection by design and by default
  • Keep records of processing activities
  • Ensure security of processing
  • Notify data subject on defined occasions
  • Contract between controller and processor

What to keep in mind if you are running IBM Connections under GDPR?

If you plan on, or already are, running IBM Connections and also make business with EU citizens, you need to take some things into consideration. The main things is, as you might have imagined, analyzing which personal data you are working with and try to minimize working with this type of data as much as possible.

Here is how you take care of the first step, identifying the personal data you collect:

  • Check attributes in Profiles
  • Automatic profiling: Social Network Graph
  • Add “technical” data
  • From IHS logs (IP addresses, mobile OS, …)
  • From WAS logs

Next, you will need to locate the reasons for lawfulness of processing:

  • Legitimate interest of the controller
  • Consent of the data subject
  • On-boarding manager (logon page)
  • Create records of processing activities

After you have completed the above steps, you will need to identify the processors and other recipients. This implies checking your IT suppliers, IBM business partner, IBM support for PMRs, any other company related to you. Here you will need to work with your layers and DPO, especially if you have a lot of branches. And, last but not least, you will need to update all your contracts in accordance with Article 28 (the article which explains the role and obligations of the processor).

The next step you need to take is informing the subjects on the fact that their information will be collected and processed. This can be done by a pop up screen or by using the page header or footer.

Security of processing

In order to better understand what this means, we need to adress Article 32 of GDPR, which basically means that the Data Controllers and Data Processors need to have in place technical and organizational measures that provide a level of data security necessary for the level of risk imposed by processing data.

So, how do you take care of this? Well, by securing your infrastructure:

  • Everything that has to do with passwords, firewall, updates
  • Make sure you have encryption everywhere, that the roles are well defined
  • You need https configuration of course
  • Last but not least: LDAP connection

If you have backups, one thing that needs to change is the fact that you need to have a DR plan{link}, and regularly test it. All the security processing needs to be tested with regularity.

Rights of the subject

  • Getting things in order when it comes to the rights of the subject should be easy enough. For starters, everybody can access their data in IBM Connections.
  • When it comes to the “right to be forgotten”, personal information can easily be erased, deactivated, or renamed so there should really be no problem at all in that aspect. One thing that can cause some trouble is @mentions. Also, you would need to check the IP arrangements with employees and other users.
  • The right to restrict processing can represent a problem when referring to how the company uses personal data. You would need to check the Connection T&C for users.
  • Next in line comes data portability, sometimes referred to as data takeout. It can easily be made by exporting all the personal data in a common format.
  • Overall, GDPR can be a challenge, but with the right tools you can easily get in line with the new regulations. These days, security is one of the important things one must take into consideration when working with technology, so the rules GDPR brought are justified up to a point.

About the Author

Comments are closed.