In EU there is a new data privacy regulation effective from May 2018. Organizations are required to comply with multiple requirements which affect also IBM Connections. In the session we will check how IBM Connections (on prem) meet the requirements of GDPR and what tool you might need to use.
4. Social Connections 13 Philadelphia, April 26-27 2018
EU regulation 2016/679
• Effective on May 28, 2018
• Regulates cross-border processing and
limit recipients of personal information
• Huge administrative fines
• 2M Euro or 4 % or global annual turnover
5. Social Connections 13 Philadelphia, April 26-27 2018
Does GDPR Apply to Me?
• Doing business in EU?
• Having an office in EU?
• Processing data of EU citizens?
YES
6. Social Connections 13 Philadelphia, April 26-27 2018
Main GDPR terms
• Data subject
• Personal data
• Controller
• Processor
• Consent
• Lawfulness of processing
• Safe processing
7. Social Connections 13 Philadelphia, April 26-27 2018
New duties for controllers and processors
• Allow only lawful personal data processing
• Inform data subjects about processing
• Data protection by design and by default
• Keep records of processing activities
• Ensure security of processing
• Notify data subject on defined occasions
• Contract between controller and processor
8. Social Connections 13 Philadelphia, April 26-27 2018
New rights for subjects (articles 12-22)
• Transparency
• Right of access by the data subject
• Right of rectification
• Right to erasure (to be forgotten)
• Right to restriction of processing
• Right of data portability
• Right to object
• Automated individual decision making incl. profiling
10. Social Connections 13 Philadelphia, April 26-27 2018
Privacy Shield
• Successor of Safe Harbor, an agreement
between EU and USA since August 2016
• US companies can do self-assessment and
register at Federal Trade Commission
• EU-approved “codex” which allows US
companies to process data of EU citizens
according to EU implementing decision
2016/1250
11. Social Connections 13 Philadelphia, April 26-27 2018
If you are Privacy Shield compliant
• Then you are a safe destination for EU
personal data
• But you have still comply to the rest of
requirements for … and processors
• “Privacy Shield is a jumpstart to GDPR”
12. Social Connections 13 Philadelphia, April 26-27 2018
13
Running IBM Connections under
GDPR – new duties
13. Social Connections 13 Philadelphia, April 26-27 2018
ESN vs Privacy
• Not the best setup ever
• What personal data you process?
• Profiles
• The rest (user generated data) is equal to any
shared drive
• Which lawful reasons do you reference to?
• Minimalize personal data processing (!!)
14. Social Connections 13 Philadelphia, April 26-27 2018
Identify what personal data you collect
• Check attributes in Profiles
• Coming from LDAP via VMM
• Self entered by users
• Automatic profiling: Social Network Graph
• Add “technical” data
• From IHS logs (IP addresses, mobile OS, …)
• From WAS logs
15. Social Connections 13 Philadelphia, April 26-27 2018
Identify reasons for lawfulness of processing
1. Legitimate interest of the controller
2. Consent of the data subject
• Onboarding manager (logon page)
• Create records of processing activities
16. Social Connections 13 Philadelphia, April 26-27 2018
Identify processors or other recipients
• Your IT suppliers (IBM business partner)
• IBM support (for PMRs)
• Your daughter/sister/mother companies
• Work with your lawyers or DPO
• Update your contracts according article 28
17. Social Connections 13 Philadelphia, April 26-27 2018
Inform subjects
• Display required info somewhere
• Log-on screen
• Page header/footer
20. Social Connections 13 Philadelphia, April 26-27 2018
Secure the infrastructure
• OS (passwords, firewall, updates, etc.)
• WAS (encryption everywhere, roles, certs)
• IC (role mappings, reverse proxy, APIs)
• HIS (https configuration)
• TDI (LDAP connection)
• The pink stuff
21. Social Connections 13 Philadelphia, April 26-27 2018
Backup & restore
• You do backups, right?
• Now you must have DRP and regularly
test it
22. Social Connections 13 Philadelphia, April 26-27 2018
Security audits
• You are required to check your “secure
processing” regularly
23. Social Connections 13 Philadelphia, April 26-27 2018
Problematic areas
• Encryption of files on IC server (data at
rest) is not possible
• Consider also NFS sharing between IC, Docs,
Search, Viewer
• My drive – replication of files to desktops is
not manageable
• No insight who replicates what content to what
computers
24. Social Connections 13 Philadelphia, April 26-27 2018
13
Coping with the rights of subject
25. Social Connections 13 Philadelphia, April 26-27 2018
Transparency
• Usually no problem in B2E
26. Social Connections 13 Philadelphia, April 26-27 2018
Right of access
• Users can easily access all their data in
IBM Connections (people centric system)
27. Social Connections 13 Philadelphia, April 26-27 2018
Right to rectification
• Potential issues in data pulled from
enterprise databases via TDI
• Not our problem
28. Social Connections 13 Philadelphia, April 26-27 2018
Right to erasure - to be forgotten
• We can delete/deactivate/rename users
easily
• @mentions can cause trouble
• Check you IP arrangements with
employees or other kinds of users
29. Social Connections 13 Philadelphia, April 26-27 2018
Right to restrict processing
• This may be a potential issue how the
organization uses and leverages content
including personal data
• Check well your Connections T&C for
users
30. Social Connections 13 Philadelphia, April 26-27 2018
Right to data portability
• Often referenced as “data takeout”
• Does it make sense for ESN?
• Export all personal data in a “common”
format
31. Social Connections 13 Philadelphia, April 26-27 2018
Right to object
• Not specifically related to any tool or
technology
32. Social Connections 13 Philadelphia, April 26-27 2018
13
Audit tools
(for Connections on premises)
33. Social Connections 13 Philadelphia, April 26-27 2018
Why we need them
• Controllers (and processors) are required
to keep records of processing activities
and to be able to proof secure
processing
• Provide useful insight also in GDPR-
unrelated situations
• Demanded by our customer
34. Social Connections 13 Philadelphia, April 26-27 2018
What is available
• Almost nothing
• Vantage for IBM Connections by Actiance
(discontinued?)
• Customizable WAS logs + IHS logs
• WAS auditing
• IC databases
35. Social Connections 13 Philadelphia, April 26-27 2018
Related tools
• panagenda Connections Expert (CE) +
DataMiner
• Infoware DPS and GDPR scanner?
36. Social Connections 13 Philadelphia, April 26-27 2018
Connections Audit Tools
• We decided to build our own tool
• It reads data from DB2 database
• Provides information up to 12 months old
• Supports Connections V5 - V6
37. Social Connections 13 Philadelphia, April 26-27 2018
Audit questions
What is an
overall
system
activity?
38. Social Connections 13 Philadelphia, April 26-27 2018
Audit questions
What did an user do recently in Connections?
40. Social Connections 13 Philadelphia, April 26-27 2018
Audit questions
Who accessed a given piece content?
41. Social Connections 13 Philadelphia, April 26-27 2018
Audit questions
Is there any specific content?
42. Social Connections 13 Philadelphia, April 26-27 2018
Thank You!
Jan Valdman
jan.valdman@whitesoft.eu
+420 603 590 152
Contact me if you want to learn more
about WhiteCAT
Many thanks to people who helped me to discuss and validate my findings and ideas.