General Data Protection Regulation (GDPR)

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM® does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

IBM WebSphere® Portaland IBM Web Content Manager are on-premise products installed and operated by the customer. In this scenario, IBM is neither a controller nor a processor as defined by the GDPR.

IBM WebSphere Portal and DB2® software supports both, controllers and processors, with their available features in preparing for GDPR readiness.

Encryption of data at rest activities can typically be configured in the database and other backends used with IBM WebSphere Portal and IBM Web Content Manager. For example, see https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0061758.html

for more information about how DB2 native encryption works.

Encryption of data in transit includes both connections from client to the server and from server to the backend. For configuration details, refer to the following guides:

The backup procedure, data retention policy, and how to deal with Data Access and Data Erasure requests need to be defined and managed by data controllers.

Digital Experience supports logging of important system events. To learn more, read https://developer.ibm.com/digexp/docs/docs/customization-administration/websphere-portal-8-5-9-log-maintenance-best-practices/.

For auditing refer to the following documents:

When checking for Personal Data, you should include the following cases

  • The user information that is stored in the LDAP (or other repositories)
  • Information that may be collected on DX (e.g. Tagging and Rating, personalization)
  • Information collected by custom code deployed (e.g. portlets) or code integrated (e.g. via DDC, WSRP, WAB) on IBM WebSphere Portal and IBM Web Content Manager
  • User tracking systems integrated with HTML/JavaScript in the browser

Finally, here are a few hints regarding the handling of users and content:

  • Removing a user: To remove a user's ability to log into the Portal, you can remove the user from your LDAP (or whatever repository contains the user info). Digital Experience relies on WebSphere for authentication. Mind that some attributes of the user, such as group membership, or attributes in their LDAP record, may have been used in your implementation for access control or personalization rules.
  • Changing the ownership for WCM content created by a user: WCM only refers to the user's distinguished name as stored in the LDAP. No content will be lost in WCM when the creator is deleted from the LDAP repository. If you want to replace the assigned content creator, or a specific role, of a user before deleting that user from the LDAP, you can use the "MemberFixer". More information is available at: https://www.ibm.com/support/knowledgecenter/en/SSHRKX_8.5.0/mp/wcm/wcm_admin_member-fixer.html

Cleaning up remainders of user data in the customization database can be done with the SLChecker tool (https://www.ibm.com/support/knowledgecenter/SSHRKX_8.5.0/mp/admin-system/adelorph.html).

Learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings here: https://ibm.com®/gdpr