Considerations for GDPR

Notice:

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

GDPR Overview

What is GDPR?

GDPR stands for General Data Protection Regulation.

GDPR has been adopted by the European Union and will apply from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for companies and organizations handling personal data
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

This document is intended to help you in your preparations for GDPR readiness.

Read more about GDPR

Product Configuration for GDPR

Configuration to support data handling requirements

The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data to be secured against loss through system failure and also through unauthorized access or via theft of computer equipment or storage media. The exact requirements will depend on the nature of the information that will be sent to Event Processing. Areas for consideration to address these aspects of the GDPR legislation include:

  • Physical access to the assets where the product is installed.
  • Encryption of data both at rest (see data storage) and in flight (see data processing).
  • Managing access to your Event Endpoint Management instance.

Data Life Cycle

Event Endpoint Management socializes streams of data received through Apache Kafka® topics.

Event Endpoint Management consists of two components:

  • Event Manager - The Event Manager requires information about the Kafka cluster (such as location, username, and password) and the metadata of the Kafka cluster (such as schemas, descriptions). With Event Manager, you can also provide subscription to other users who wants to access your topics. Contact information of other users who access the Kafka clusters are viewed by the cluster administrator.

  • Event Gateway - With Event Gateway, you can access the information that is described in the Event Manager.

As a result, Event Endpoint Management can be used for socializing any data, some of which could potentially be subject to GDPR.

What types of data flow through Event Endpoint Management?

There is no one definitive answer to this question because use cases vary through application deployment.

Where is data stored?

See the data Storage section for details about how information is stored by Event Endpoint Management. This information can include data that is governed by GDPR.

Personal data used for online contact with IBM

Event Endpoint Management clients can submit online comments/feedback requests to contact IBM about Event Endpoint Management in a variety of ways, primarily:

  • Private issue reporting via IBM Support

Typically, only the client name and email address are used to enable personal replies for the subject of the contact. The use of personal data conforms to the IBM Online Privacy Statement.

Data Collection

Event Endpoint Management can be used to collect personal data. When assessing your use of Event Endpoint Management and the demands of GDPR, you should consider the types of personal data which in your circumstances are passing through the system. You may wish to consider aspects such as:

  • What data is being passed to Event Endpoint Management?
  • What type of storage has been configured within the Event Endpoint Management? Has encryption been enabled? For more information, see data storage.
  • Has the internal network traffic been encrypted? For more information, see data processing.
  • Can you limit what personal information is accessible within Event Endpoint Management by consumers of your topics? For more information, see redaction control.

Data Storage

Event Endpoint Management stores data on stateful media within the cluster. The data stored by Event Endpoint Management pods is encrypted by default.

In production deployments, persistent storage is used. For encrypting the persistent storage used by Event Endpoint Management, see the documentation for your storage provider, for example, Red Hat Ceph Storage - Encryption and Key Management.

Data Access

For information about controlling access to data stored in Event Endpoint Management, see managing access.

Cluster-level configuration and resources are accessible through the OpenShift Container Platform web console and by using the kubectl CLI.

Access and authorization controls can be used to control which users are able to access this cluster-level information.

Data Processing

Encryption of connection to Event Endpoint Management

Connections to Event Endpoint Management are secured using TLS. If you want to use your own CA certificates instead of those generated by the operator, you can provide them in the EventEndpointManagement custom resource settings.

Encryption of connections within Event Endpoint Management

Internal communication between Event Endpoint Management pods is encrypted by default using TLS.