Considerations for GDPR Readiness

Information about features of IBM® Cloud Manager with OpenStack that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness.

For PID(s):

5725-R05: IBM Cloud Manager with OpenStack

5765-CMO: IBM Cloud Manager with OpenStack

Notice

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Cloud Manager with OpenStack that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

  1. GDPR
  2. Product Configuration for GDPR
  3. Data Life Cycle
  4. Data Collection
  5. Data Storage
  6. Data Access
  7. Data Processing
  8. Data Deletion
  9. Data Monitoring
  10. Responding to Data Subject Rights

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.

Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification
Read more about GDPR

Product Configuration – Considerations for GDPR Readiness

The following sections provide considerations for configuring IBM Cloud Manager with OpenStack to help your organization with GDPR readiness.

Data Life Cycle

User Accounts

The IBM Cloud Manager with OpenStack system administrator or security administrator creates a user by providing a user ID, email address, full name, and password to grant the user access to the system. This personal data is stored in the database on the client's hardware and can be fully managed by the system administrator or security administrator and edited by the user.

System Logs
The following personal data may exist within the operating system and application logs:
  • User ID
  • Email addresses
  • Full name (excluding passwords)
  • IP addresses for managed assets (excluding user browser client IP address)
  • Session IDs
  • Web page URLs
  • Cookie names
The logs are retained on disk provided there is sufficient space available. The end user can modify and delete logs so older logs are not deleted automatically.

The purpose of the system log files is for use during troubleshooting situations. As needed, the log files may be collected and downloaded from the offering for transfer to IBM Support. The log files are included whenever the customer takes a system backup or snapshot.

Information on system logs is documented in this IBM Cloud Manager with OpenStack Knowledge Center.

Personal data used for online contact with IBM
Clients can submit online comments/feedback/requests to contact IBM Cloud Manager with OpenStack subjects in a variety of ways, primarily:
  • Public comments area on pages in the IBM Cloud Manager with OpenStack community on IBM developerWorks.
  • Public comments area on pages of IBM Cloud Manager with OpenStack documentation in IBM Knowledge Center
  • Public comments in the IBM Cloud Manager with OpenStack space of dWAnswers
  • Feedback forms in the IBM Cloud Manager with OpenStack community

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.

Data Collection

For more information, see Data Life Cycle.

Data Storage

Personal data will be contained within backups of the offerings. Such personal data will include the personal data associated with user accounts stored within the database. The Knowledge Center provides information pertaining to creating the backups within the IBM Cloud Manager with OpenStack offering.

The backup feature enables the client to transfer the backup archives to an external location. However, management of any external backup archives is beyond the scope of the offering. The client should implement a set of established 'best practices' for managing and securing such backup files. Information on managing backups is documented in this IBM Cloud Manager with OpenStack Knowledge Center.

Data Access

Client can implement standard industry best practices for general security measures such as disk encryption, physical and remote access.

For user account data, read or write access can be given to specific users.

Data Processing

General security measures are directly implemented by the offering.

Data Deletion

Personal data associated with user accounts (as described in Data Life Cycle) can be fully managed by the system administrator or security administrator, including deletion. Users are not permitted to delete the personal data associated with the accounts. Information on managing users is documented in this IBM Cloud Manager with OpenStack Knowledge Center.

Personal data, including IP addresses, session IDs, and user IDs, may exist within operating system and application logs. The log files can be modified and deleted by the client. The logs will be retained on disk provided there is sufficient space available. Information on system logs is documented in this IBM Cloud Manager with OpenStack Knowledge Center.

Data Monitoring

IBM Cloud Manager with OpenStack does not monitor operating system or application logs, which are collected by the system and remain on the management node as space permits. When needed for troubleshooting, logs may be downloaded from the console. Typically, such files remain local to the offering and cannot be managed or altered by end users or administrators. Administrators may be able to review some log files (for troubleshooting purposes and without context of any personal data contained within) via the offering console. For more complex troubleshooting situations, such logs may be collected and downloaded from the offering for transmission to IBM Support.

Responding to Data Subject Rights

IBM Cloud Manager with OpenStack meets the following data subject rights: right to access, modify, forgotten, and portability.