Successfully reported this slideshow.
Your SlideShare is downloading. ×

GDPR Considerations for IBM Connections

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Connections Worst Practises
Connections Worst Practises
Loading in …3
×

Check these out next

1 of 44 Ad

GDPR Considerations for IBM Connections

Download to read offline

In EU there is a new data privacy regulation effective from May 2018. Organizations are required to comply with multiple requirements which affect also IBM Connections. In the session we will check how IBM Connections (on prem) meet the requirements of GDPR and what tool you might need to use.

In EU there is a new data privacy regulation effective from May 2018. Organizations are required to comply with multiple requirements which affect also IBM Connections. In the session we will check how IBM Connections (on prem) meet the requirements of GDPR and what tool you might need to use.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to GDPR Considerations for IBM Connections (20)

Advertisement

More from LetsConnect (20)

Recently uploaded (20)

Advertisement

GDPR Considerations for IBM Connections

  1. 1. Philadelphia, April 26-27 2018 13 GDPR Considerations for IBM Connections Jan Valdman, Whitesoft @jan_valdman
  2. 2. PLATINUM SPONSOR GOLD SPONSORS BRONZE SPONSORS GOLD PLUS SPONSOR SILVER SPONSORS SPEEDSPONSORING BEER SPONSOR
  3. 3. Social Connections 13 Philadelphia, April 26-27 2018 13 GDPR – What the hell it is?
  4. 4. Social Connections 13 Philadelphia, April 26-27 2018 EU regulation 2016/679 • Effective on May 28, 2018 • Regulates cross-border processing and limit recipients of personal information • Huge administrative fines • 2M Euro or 4 % or global annual turnover
  5. 5. Social Connections 13 Philadelphia, April 26-27 2018 Does GDPR Apply to Me? • Doing business in EU? • Having an office in EU? • Processing data of EU citizens? YES
  6. 6. Social Connections 13 Philadelphia, April 26-27 2018 Main GDPR terms • Data subject • Personal data • Controller • Processor • Consent • Lawfulness of processing • Safe processing
  7. 7. Social Connections 13 Philadelphia, April 26-27 2018 New duties for controllers and processors • Allow only lawful personal data processing • Inform data subjects about processing • Data protection by design and by default • Keep records of processing activities • Ensure security of processing • Notify data subject on defined occasions • Contract between controller and processor
  8. 8. Social Connections 13 Philadelphia, April 26-27 2018 New rights for subjects (articles 12-22) • Transparency • Right of access by the data subject • Right of rectification • Right to erasure (to be forgotten) • Right to restriction of processing • Right of data portability • Right to object • Automated individual decision making incl. profiling
  9. 9. Social Connections 13 Philadelphia, April 26-27 2018 13 GDPR vs. Privacy Shield
  10. 10. Social Connections 13 Philadelphia, April 26-27 2018 Privacy Shield • Successor of Safe Harbor, an agreement between EU and USA since August 2016 • US companies can do self-assessment and register at Federal Trade Commission • EU-approved “codex” which allows US companies to process data of EU citizens according to EU implementing decision 2016/1250
  11. 11. Social Connections 13 Philadelphia, April 26-27 2018 If you are Privacy Shield compliant • Then you are a safe destination for EU personal data • But you have still comply to the rest of requirements for … and processors • “Privacy Shield is a jumpstart to GDPR”
  12. 12. Social Connections 13 Philadelphia, April 26-27 2018 13 Running IBM Connections under GDPR – new duties
  13. 13. Social Connections 13 Philadelphia, April 26-27 2018 ESN vs Privacy • Not the best setup ever  • What personal data you process? • Profiles • The rest (user generated data) is equal to any shared drive • Which lawful reasons do you reference to? • Minimalize personal data processing (!!)
  14. 14. Social Connections 13 Philadelphia, April 26-27 2018 Identify what personal data you collect • Check attributes in Profiles • Coming from LDAP via VMM • Self entered by users • Automatic profiling: Social Network Graph • Add “technical” data • From IHS logs (IP addresses, mobile OS, …) • From WAS logs
  15. 15. Social Connections 13 Philadelphia, April 26-27 2018 Identify reasons for lawfulness of processing 1. Legitimate interest of the controller 2. Consent of the data subject • Onboarding manager (logon page) • Create records of processing activities
  16. 16. Social Connections 13 Philadelphia, April 26-27 2018 Identify processors or other recipients • Your IT suppliers (IBM business partner) • IBM support (for PMRs) • Your daughter/sister/mother companies • Work with your lawyers or DPO • Update your contracts according article 28
  17. 17. Social Connections 13 Philadelphia, April 26-27 2018 Inform subjects • Display required info somewhere • Log-on screen • Page header/footer
  18. 18. Social Connections 13 Philadelphia, April 26-27 2018 13 Security of Processing
  19. 19. Social Connections 13 Philadelphia, April 26-27 2018 What does it mean?
  20. 20. Social Connections 13 Philadelphia, April 26-27 2018 Secure the infrastructure • OS (passwords, firewall, updates, etc.) • WAS (encryption everywhere, roles, certs) • IC (role mappings, reverse proxy, APIs) • HIS (https configuration) • TDI (LDAP connection) • The pink stuff
  21. 21. Social Connections 13 Philadelphia, April 26-27 2018 Backup & restore • You do backups, right? • Now you must have DRP and regularly test it
  22. 22. Social Connections 13 Philadelphia, April 26-27 2018 Security audits • You are required to check your “secure processing” regularly
  23. 23. Social Connections 13 Philadelphia, April 26-27 2018 Problematic areas • Encryption of files on IC server (data at rest) is not possible • Consider also NFS sharing between IC, Docs, Search, Viewer • My drive – replication of files to desktops is not manageable • No insight who replicates what content to what computers
  24. 24. Social Connections 13 Philadelphia, April 26-27 2018 13 Coping with the rights of subject
  25. 25. Social Connections 13 Philadelphia, April 26-27 2018 Transparency • Usually no problem in B2E
  26. 26. Social Connections 13 Philadelphia, April 26-27 2018 Right of access • Users can easily access all their data in IBM Connections (people centric system)
  27. 27. Social Connections 13 Philadelphia, April 26-27 2018 Right to rectification • Potential issues in data pulled from enterprise databases via TDI • Not our problem 
  28. 28. Social Connections 13 Philadelphia, April 26-27 2018 Right to erasure - to be forgotten • We can delete/deactivate/rename users easily • @mentions can cause trouble • Check you IP arrangements with employees or other kinds of users
  29. 29. Social Connections 13 Philadelphia, April 26-27 2018 Right to restrict processing • This may be a potential issue how the organization uses and leverages content including personal data • Check well your Connections T&C for users
  30. 30. Social Connections 13 Philadelphia, April 26-27 2018 Right to data portability • Often referenced as “data takeout” • Does it make sense for ESN? • Export all personal data in a “common” format
  31. 31. Social Connections 13 Philadelphia, April 26-27 2018 Right to object • Not specifically related to any tool or technology
  32. 32. Social Connections 13 Philadelphia, April 26-27 2018 13 Audit tools (for Connections on premises)
  33. 33. Social Connections 13 Philadelphia, April 26-27 2018 Why we need them • Controllers (and processors) are required to keep records of processing activities and to be able to proof secure processing • Provide useful insight also in GDPR- unrelated situations • Demanded by our customer
  34. 34. Social Connections 13 Philadelphia, April 26-27 2018 What is available • Almost nothing • Vantage for IBM Connections by Actiance (discontinued?) • Customizable WAS logs + IHS logs • WAS auditing • IC databases
  35. 35. Social Connections 13 Philadelphia, April 26-27 2018 Related tools • panagenda Connections Expert (CE) + DataMiner • Infoware DPS and GDPR scanner?
  36. 36. Social Connections 13 Philadelphia, April 26-27 2018 Connections Audit Tools • We decided to build our own tool • It reads data from DB2 database • Provides information up to 12 months old • Supports Connections V5 - V6
  37. 37. Social Connections 13 Philadelphia, April 26-27 2018 Audit questions What is an overall system activity?
  38. 38. Social Connections 13 Philadelphia, April 26-27 2018 Audit questions What did an user do recently in Connections?
  39. 39. Social Connections 13 Philadelphia, April 26-27 2018
  40. 40. Social Connections 13 Philadelphia, April 26-27 2018 Audit questions Who accessed a given piece content?
  41. 41. Social Connections 13 Philadelphia, April 26-27 2018 Audit questions Is there any specific content?
  42. 42. Social Connections 13 Philadelphia, April 26-27 2018 Thank You! Jan Valdman jan.valdman@whitesoft.eu +420 603 590 152 Contact me if you want to learn more about WhiteCAT Many thanks to people who helped me to discuss and validate my findings and ideas.
  43. 43. PLATINUM SPONSOR GOLD SPONSORS BRONZE SPONSORS GOLD PLUS SPONSOR SILVER SPONSORS SPEEDSPONSORING BEER SPONSOR

×