Considerations for GDPR Readiness

Information about features that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness.

GDPR consideration for the following offerings:
  • IBM Cloud Application Performance Management Private
  • IBM Tivoli Monitoring
  • IBM Tivoli Composite Application Manager
  • IBM SmartCloud Monitoring
  • Application Insight

For PID(s):

5725-G70

5725-I45

5724-U17

5724-S79

5724-C04

5725-C20

5724-L92

5725-J97

5725-U05

5725-V20

5725-M99

  • Notice:

    This document is intended to help you in your preparations for GDPR readiness. It provides information about features of the offerings that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

    Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.

    The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

1. GDPR

2. Product Configuration for GDPR Readiness

3. Data Life Cycle

3. Data Collection

5. Data Storage

6. Data Access

7. Data Processing

8. Data Deletion

9. Data Monitoring

10. Responding to Data Subject Rights

GDPR

General Data Protection Regulation has been adopted by the European Union (“EU”) and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for Significant financial penalties for non-compliance
  • Compulsory data breach notification

Product Configuration for GDPR Readiness

The following sections provide considerations for configuring the product to help your organization with GDPR readiness.

  • Configuration to support data handling requirements

    The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data to be secured against loss through system failure and also through unauthorized access or via theft of computer equipment or storage media.

  • How to configure our offering such that it could be used in a GDPR environment?

    IBM® Cloud Application Performance Management Private (Cloud APM Private) is a comprehensive solution that helps you manage the performance and availability of applications that are deployed on premises (private), in a public cloud, or as a hybrid combination. This solution provides you with visibility, control, and automation of your applications, ensuring optimal performance and efficient use of resources.

    IBM Tivoli Monitoring (ITM) monitors and manages system and network applications on a variety of operating systems, tracks the availability and performance of your enterprise system, and provides reports to track trends and troubleshoot problems.

    The IBM Tivoli Composite Application Manager (ITCAM) for Applications offering is a package of component products that monitor and manage systems, application servers, and database servers; track availability and performance; and provide reports, in a browser-based graphical user interface, to track trends and troubleshoot problems.

    Data is sent to the APM and ITM UI from the operating system, applications, coding language agents or data collectors. This data is then stored in an IBM Db2 database. The user creates events from this data for anomalous conditions that they want to monitor.

    For Oracle or SQL databases please refer to the appropriate vendor's documentation.

Data Life Cycle

GDPR requires that personal data is:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit and legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.
  • Kept in a form which permits identification of the data subject for no longer than necessary.
  • What is the end-to-end process through which personal data go through when using our offering?
  • Personal data used for online contact with IBM

The offering’s clients can submit online comments/feedback/requests to contact IBM about the offering’s subjects in a variety of ways, primarily:

  • Public comments area on pages of the offerings documentation in IBM Knowledge Center
  • Public comments in the Offerings space of dWAnswers
  • Feedback forms in the Offerings community

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the [IBM Online Privacy Statement] (https://www.ibm.com/privacy/us/en/).

  • What types of data?

    The Application Performance Management/Tivoli Monitoring offerings do not directly target or collect personal data. The type of data collected by the products is primarily performance management metrics that measure the performance of some underlying operating system, applications such as web servers and databases, or coding languages such as, .Net, python, or ruby.

    The Application Performance Management/Tivoli Monitoring offerings provide authentication and handling of system users.

    The Application Performance Management/Tivoli Monitoring offerings process the types of Personal Data shown here:

    • Authentication Credentials (such as username and passwords).
    • Technically Identifiable Personal Information such as, (device IDs, usage-based identifiers, or IP address, when linked to an individual) used to identify the systems or applications being monitored as part of the normal function of this product.

Data Collection

This is not a definitive list of the types of data collected by the offerings. It is provided as an example for consideration. If you have any questions about the types of data, please contact IBM.

Data is collected by agents which connect to popular 3rd party and IBM operating systems and applications to help the end user ascertain the performance level of those systems or applications.

None of these target personal data however the following may be present in the product as part of the monitoring process:

  • Authentication Credentials (such as username and passwords)
  • Technically Identifiable Personal Information (such as device IDs, usage -based identifiers, IP address, when linked to an individual)

Data Storage

  • How can the client control the storage of personal data?

    The Application Performance Management/Tivoli Monitoring offerings utilize a Db2 instance to store performance management data, which does not contain any personal data by default.

Data Access

Use the Role Based Access Control feature in IBM® Cloud Application Performance Management to grant users the access privileges they require for their role.

Security in Cloud APM Private is based on roles. A role is a group of permissions that control the actions you can perform in Cloud APM Private. You can create customized roles in Cloud APM Private. You can assign permissions to customized roles, or you can assign more permissions to existing default roles.

You can assign users and user groups to existing default roles or to customized roles. You can assign users and user groups to multiple roles. Permissions are cumulative, a user or user group is assigned all the permissions for all the roles they are assigned to. Cloud APM Private uses the WebSphere® Application Server Liberty profile basic registry as the default method for user authentication. Alternatively, you can use an LDAP registry for user authentication.

For more information, see:

Data Processing

  • How can the client control processing of personal data?
  • Encryption in motion

    Application Performance Management/Tivoli Monitoring offerings can be configured to use SSL communications for data transferred between components.

  • Encrypting Agent Communication to the server

    ITM agents running in autonomous or centrally managed modes present new additional options for highly secure deployments of monitoring agents. With a few small post-installation environment configuration steps, customers can achieve exceptionally secure monitoring agent deployments in highly constrained environments like DMZ’s.

    The Autonomous agent deployment model is similar to the standard centrally managed ITM agent deployment model where agents communicate with their infrastructure over secure connections and agents use local configuration files that administrators may manage.

    In a secure environment, the agents are invisible to outside network traffic, minimize their communication pathways and lock down access to the agent files on the file system. A highly secure configuration also ensures strong authenticated encryption on any communication pathways.

    This whitepaper enumerates the steps required to lock down open-by-default network connections and verify the installation is secure from within.

    For more information, see: https://www.ibm.com/support/knowledgecenter/en/SSHLNR_8.1.4/com.ibm.pm.doc/install/onprem_config_https.htm

    https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0.2/com.ibm.itm.doc_6.3fp2/install/unixconfig_ma.htm

Data Deletion

  • How can the client control the deletion of personal data?
    • Client Data deletion

      Removal of users from any of the Application Performance Management/Tivoli Monitoring offerings, file-based repository or external directory service will prevent the user from logging into the product. It will not remove the users’ data (e.g. name) from active or historical events as there is an ongoing need from an operational/audit perspective to maintain this data. However, as part of your deployment you should review the period for which data is archived, backups are stored and logs are maintained to determine if they are reasonable based on your operational needs.

      To remove data from the Db2 database, see the Db2 Knowledge Center:

      https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.welcome.doc/doc/welcome.html

      For other databases, see the documentation that is provided by the database vendor.

  • Account Data deletion

    Removal of users from any of the Application Performance Management/Tivoli Monitoring bundles, file-based repository or external directory service will prevent the user from logging into the product. It will not remove the users’ data (e.g. name) from active or historical events as there is an ongoing need from an operational/audit perspective to maintain this data. However, as part of your deployment you should review the period for which data is archived, backups are stored and logs are maintained to determine if they are reasonable based on your operational needs.

    To remove a user and their access from the product, see: https://www.ibm.com/support/knowledgecenter/en/SSHLNR_8.1.4/com.ibm.pm.doc/install/admin_workingwithrolesusersandpermissions.htm

Data Monitoring

  • How can the client monitor the processing of personal data?
  • Application Performance Management/Tivoli Monitoring offerings are used to monitor enterprise servers, operation systems, applications and code. Personal data in the product is limited to:
    • Basic Personal Information (e.g. usernames for authentication)
    • Technical Personal Information (e.g. IP addresses/hostnames from systems used by the user to access the solution and potentially captured in debug/trace logs).

    The product’s database can be configured to audit access to specific objects or actions performed by specific groups of users in audit logs, as previously mentioned.

    Log files are not encrypted. If log files need to be archived for operational/audit requirements then consideration should be given to encrypting any archived logs.

Configuring Audit Logging

Responding to Data Subject Rights

  • Does the offering facilitate being able to meet data subject rights?

    Personal data that is stored and processed by the product comes under the following categories:

  • Basic Personal Data (e.g. usernames and passwords used for authentication and Name/ID to show ownership of an event
  • Technically Identifiable Personal Information (such as IP addresses and hostnames to which user activity could potentially be linked).

    This data is intrinsic to the operation of an effective performance management workflow. Removal of data, modification of historical data and the sharing of this data is likely to be contrary to your enterprises policies.

However, consideration may need to be given to the following:

  • Data is only retained for a reasonable period based on operational, compliance, and industry audit requirements that pertain.
  • Data is secured appropriately when in archive format.
  • That the contract terms are GDPR compatible for the following:
    • When the product is used for managing your enterprises or your own IT/network environment, applications.
    • When the users of the solution are employees/contractually engaged staff.
    • When the event schemas are customized to augment the defaults with additional data sourced from other data sources available in your environment, for example, personal data.