IBM Data Science Experience Local considerations for GDPR readiness
For PID(s): 5737-D37
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of DSX Local that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Table of Contents
- Product Configuration for GDPR
- Data Life Cycle
- Data Storage
- Data Access
- Data Processing
- Data Deletion
- Data Monitoring
- Responding to Data Subject Rights
General Data Protection Regulation (GDPR) has been adopted by the European Union (“EU”) and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Read more about GDPR
Product Configuration - considerations for GDPR Readiness
Requirement: To help with GDPR readiness, install Data Science Experience Local Version 22.214.171.124 or later.
The following sections provide considerations for configuring DSX Local to help your organization with GDPR readiness.
Configuration to support Data Security
To ensure that your data in IBM DSX is stored securely, you can encrypt your storage partition. If you use Linux Unified Key Setup-on-disk-format (LUKS) for this purpose, then you must enable LUKS and format the partition with XFS before you install DSX Local.
Data Life Cycle
What is the end-to-end process through which personal data go through when using our offering?
For each intended user of your DSX Local system, it is required to set up user accounts by creating user IDs and passwords to allow users access to DSX Local. After the user account is set up, DSX Local uses that account to authenticate the user and to determine the type of data and operations that the user can access and interact with. GDPR recommendations align with the required method to configure access to creating users within an LDAP enterprise directory server. LDAP supports the management of user IDs and passwords at an enterprise level instead of managing this data in DSX Local. DSX Local calls on the LDAP server to provide authentication, which means that DSX Local does not store passwords for individual users. See Manage users and Security in DSX Local to learn more. See User authentication for REST API authentication. See Audit DSX Local records to learn more about access failures recorded in the logs.
Authentication to data sources
All data source credentials are encrypted with a global key or a user-specific key, and can only be used inside the DSX Local cluster where the password was originally entered. These encrypted credentials become unusable if they are pushed to a Git repository or exported outside of a DSX Local cluster using the project or asset export process.
Personal data used for online contact with IBM
DSX Local clients can submit online comments/feedback/requests to contact IBM about DSX Local subjects in a variety of ways, primarily:
- Public comments area on pages of DSX Local documentation in IBM Knowledge Center
- Public comments in the DSX Local space of dWAnswers
- Feedback forms in the DSX Local community
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the [IBM Online Privacy Statement] (https://www.ibm.com/privacy/us/en/).
Ensure your disk volumes and backups of the disk volumes are encrypted. Establish appropriate access controls through the User Management panel. Access failures are recorded in the logs. See Audit DSX Local records for details.
For storage of Big Data, a relational database such as Db2 Warehouse on Cloud or Hadoop (with Kerberos enabled) is recommended.
Who can access data in your offering?
Only project collaborators can access local data sets and remote data sources. By default, each member of the project needs to have access to the remote data source. For relational databases except for Hadoop, the project administrator can opt to provide a shared encrypted credential that can be used by all members of the project to connect to that remote data source.
Multiple log entries from different services are recorded and periodically purged. A DSX administrator can configure the log retention period in the Settings.
Disk volumes should be encrypted. To encrypt data storage, LUKS is recomended.
You should only share permalink URLs or REST API endpoints with authorized individuals.
DSX Local can only be accessed through SSL/TLS (HTTPs). See Security for details. Use JDBC/SSL based mechanisms to communicate to remote data sources.
Your configuration of user access privileges determines who can delete personal data. Administrators are given access to delete content from DSX Local, and delete users from the integrated LDAP directory server.
In addition, users who have been granted sufficient privileges can delete content that they have created.
Data inside projects such as CSV files can be deleted individually or by the deletion of the entire project.
Ensure all data repositories are tracked.
You should regularly test, assess, and evaluate the effectiveness of their technical and organizational measures to comply with GDPR. These measures should include ongoing privacy assessments, threat modeling, centralized security logging and monitoring among others.
Access failures are recorded in the logs. See Audit DSX Local records for details.
Responding to Data Subject Rights
When the DSX administrator deletes, updates, or restricts the use of the data, the administrator must also clean the disks that the data is on to completely remove the personal data.