IBM Support

IBM Connections Social Cloud GDPR documentation

Question/Answer


Question

How does Connections Cloud support removing personal information for users?

Cause

The following Q&A provides information on commonly asked questions about how IBM Connections Cloud supports compliance with the European Union's GDPR ruling.

Answer

 

Access Controls What access controls capabilities does the product provide to limit access to Personal Data to support the Client in meeting its compliance obligations?
Application-level access controls are available on the collaboration data in every Connections Cloud service. These controls use the customer organization as a fundamental unit of sharing, while also allowing users to share at the individual, group, or public level. Public access is restricted to registered users, each of whom has proven that they control access to their registered email address. Data access is monitored and logged.

 

In addition, IBM Connections SaaS offerings comply with the European Union – United States Privacy Shield framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. IBM Privacy Shield policies are explained at IBM Privacy Shield Privacy Policy for Certified IBM Cloud Services.

For more information on access controls in Connections Cloud, see the following topics in IBM Knowledge Center:

  • Users must be added to Connections Cloud by the organization administrator as described in Adding users.
  • Administrators can add or remove product subscriptions on a per-user basis, and can delete user accounts, as explained in Managing users.
  • Administrators can set up federated identity management systems, and can limit client access to a specified range of IP addresses. For more information, see Managing user logins.
  • Administrators must be assigned to a special user role to receive access to data. See Setting up users for a list of roles and their descriptions.
  • Developers of third party apps must use OAuth 2 to request access to specific data, and users can approve or deny access to their own information. In addition, those apps must be approved by a Connections Cloud organization administrator, who then makes them available to users. Connections Cloud also supports the use of SAML authentication with OAuth 2. See Understanding OAuth 2.0 and Using SAML bearer for OAuth 2.0, in the Connections Cloud Developers wiki.

 


Data Retention minimization
Where does the product store data, and how the client can delete data about an individual to support client in meeting its compliance obligations?

Connections Cloud data is stored in an enterprise-level DBMS; IBM maintains data centers in three geographic locations: North America, Europe, Asia Pacific. We do adhere to each country’s data residency requirements, and we do not use sharding to distribute data loads. Files content (including attachments in other components) is written to the file system in encrypted format.

IBM uses a variety of techniques to ensure the security and privacy of customer data, and to minimize the chances of unauthorized access. IBM does not mine customer collaboration data to sell insights to others.

 

For information on how the client can delete data about an individual, see Managing personal information in accordance with GDPR in IBM Knowledge Center for Connections Social Cloud.

 

Data Subject Access
What capabilities does the product provide to correct an individual's data in all its instances to support client in meeting its compliance obligations?


Individuals can search for their own data, or ask an organization administrator to conduct the search; both methods are described in the Connections Social Cloud documentation on IBM Knowledge Center:

 

  • An individual can easily find data they created or contributed to by using the global search capability in the product. See the "Assisting a current user to search their own data" section of Managing personal information in accordance with GDPR.
  • An individual can ask an organization administrator to find and correct all instances of specific data in blogs, wikis, and other apps. For more information, see Deleting or correcting user PI.


How does the product support the ability to extract individual data in a machine readable format for an individual data subject?

The Connections Cloud organization administrator can use APIs to search the repository for content that contains an individual's data. Results are returned in HTML format, which is machine readable; an individual can also view the information in a browser. For information on the Search API, see Searching for information in the IBM Connections Cloud Developers wiki.

 


How does the product support the capability to provide individuals with a report on their personal data that is being processed?

 

The Connections Cloud organization administrator can use APIs to search the repository for content that contains an individual's data. Results are returned in HTML format, which is machine readable; an individual can also view the information in a browser. For information on the Search API, see Searching for information in the IBM Connections Cloud Developers wiki.

Encryption
How does the product provide encryption for data in transit capabilities to support Client in meeting its compliance obligations?


Encryption is built into some applications deployed on our cloud services; for example IBM DB2® supports the encryption of customer information. For some solutions, this can also be achieved at the file system level. At the infrastructure level, there are additional controls to protect data on backup media, on portable media, and during the disposal of storage devices. Processes are also in place to ensure that any media removed from a data center is encrypted for transport, and then is securely deleted at the end of its use.


How does provide encryption capabilities for data "at rest” to support Client in meeting its compliance obligations?

DB2 supports encryption for stored data. For more information, see the DB2 data encryption topic in IBM Knowledge Center.

 

Information Security


Where can the client find information about the security and privacy capabilities of the product to support them in meeting their compliance obligations?

 

The Managing users section in the Connections Social Cloud documentation on IBM Knowledge Center explains how organization administrators can ensure privacy and security by partitioning user accounts and by assigning users to specific roles that govern their permissions.

Where can the client find information about the security of the product (e.g. ISO certifications, technical security capabilities) available to support the Client in meeting their compliance obligations?

The IBM Connections Trust & Security web page describes how IBM implements a variety of policies and processes to ensure that we protect all aspects of our cloud offerings, including data, software, and user access, as well as the underlying systems.

 

Logging & Monitoring
What logging / monitoring capabilities does the product provide in order to support the client in meeting its compliance obligations?

Connections Cloud uses Vantage & Alcatraz compliance products from Actiance. See IBM Connections Compliance for Social.

 

Pseudonymisation


Does the product provide pseudonymisation capabilities to support the client in meeting its compliance obligations?

Organization administrators can manage user accounts, including pseudonymisation, as explained in the Connections Social Cloud topic, Managing personal information in accordance with GDPR, on IBM Knowledge Center.

 

Right to Restrict / Object Service


How does the product allow the client to stop processing data of a particular individual to support the client in meeting its compliance obligations?

 

Organization administrators can manage user accounts, including deleting or suspending user accounts, as explained in the Managing users section of the Connections Social Cloud documentation on IBM Knowledge Center.

 

Secure Deletion
What information is available regarding the capability of the product to delete Personal Data to support the Client in meeting its compliance obligations?

 


Organization administrators can manage user accounts, including deleting or suspending user accounts, as explained in the Managing users section of the Connections Social Cloud documentation on IBM Knowledge Center.

 

 

 

Organization administrators can delete personal data in some Connections Cloud contexts as explained in Deleting or correcting user PI.

 

 

Separation of duties
Explain how the product provides specific suggested roles and accesses that customers can use to compartmentalize and restrict access in order to meet their compliance obligations regarding "Separation of Duties"?


Connections Cloud allows the use of roles to govern the set of permissions assigned to each user (for example, the user, app developer, administrator, and auditor roles). See the complete list plus description of supported roles in the topic, Setting up users, in the Connections Social Cloud documentation on IBM Knowledge Center.

 

 

Standards
Please provide statements regarding the standards that the product meets (e.g. ISO certifications, etc.) and assurances that the product development process follows the "Privacy by Design" principles in order to support the Client in meeting their compliance obligations?


IBM maintains a set of internal security policies, standards, and processes consistent with the International Standards Organization (ISO) 27001 framework and control areas. We also maintain many industry-related certifications such as ISO 9001, ISO 20000, and Capability Maturity Model Integration (CMMI) across many data centers.

 

Our comprehensive Service Organization Controls (SOC) reporting program is undergoing several Statement on Standards for Attestation Engagements (SSAE) 16 or equivalent audits covering many IT services and associated controls, from managed services delivery through to managed security services. We continue to develop this external auditing approach to cover our cloud services as they evolve and to ensure compliance with requirements.

Privacy reviews align IBM Connections Cloud with comprehensive, regularly updated IBM policies on privacy and client data protection, which can be found in the IBM Online Privacy Statement.

 

Technical & Configuration Guidance


Please provide references to technical and configuration guides that allow the Client to understand how to change settings within the offering to minimize access to Personal Data?

 

The following sections of the Connections documentation discuss ways to minimize access to personal information through the use of roles, permissions, and encrypted communications:

Document information

More support for: IBM Connections Cloud

Component: Administration, ">More...

Software version: Not Applicable

Operating system(s): Platform Independent

Reference #: 2016097

Modified date: 07 August 2018


Translate this page: