Considerations for GDPR

Notice:

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

GDPR Overview

What is GDPR?

GDPR stands for General Data Protection Regulation.

GDPR has been adopted by the European Union and will apply from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for companies and organizations handling personal data
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

This document is intended to help you in your preparations for GDPR readiness.

Read more about GDPR

Product Configuration for GDPR

Configuration to support data handling requirements

The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data to be secured against loss through system failure and also through unauthorized access or via theft of computer equipment or storage media. The exact requirements will depend on the nature of the information that will be sent to Event Processing. Areas for consideration to address these aspects of the GDPR legislation include:

Data Life Cycle

Event Processing transforms streams of data received through Apache Kafka® topics. As a result, Event Processing can be used for processing any data, some of which could potentially be subject to GDPR.

What types of data flow through Event Processing?

There is no one definitive answer to this question because use cases vary through application deployment.

Where is data stored?

See the Data Storage section for details about how information is stored by Event Processing. This information can include data that is governed by GDPR.

Personal data used for online contact with IBM

Event Processing clients can submit online comments/feedback requests to contact IBM about Event Processing in a variety of ways, primarily:

  • Public issue reporting and feature suggestions via Event Processing Git Hub portal
  • Private issue reporting via IBM Support

Typically, only the client name and email address are used to enable personal replies for the subject of the contact. The use of personal data conforms to the IBM Online Privacy Statement.

Data Collection

Event Processing can be used to collect personal data. When assessing your use of Event Processing and the demands of GDPR, you should consider the types of personal data which in your circumstances are passing through the system. You may wish to consider aspects such as:

  • What data is being passed to Event Processing?
  • What type of storage has been configured within the Event Processing? Has encryption been enabled? For more information, see Data Storage.
  • How does data flow between nodes in the Event Processing deployment? Has the internal network traffic been encrypted? For more information, see Data Processing.

Data Storage

Event Processing stores data on stateful media within the cluster. The data stored by Event Processing pods is encrypted by default.

Data sent to IBM Operator for Apache Flink through Apache Kafka® is stored by Flink. In production deployments, persistent storage is used. For encrypting the persistent storage used by Flink, see the documentation for your storage provider, for example, Red Hat Ceph Storage - Encryption and Key Management.

Data Access

For information about controlling access to data stored in Event Processing, see managing access.

Cluster-level configuration and resources are accessible through the OpenShift Container Platform web console and by using the kubectl CLI.

Access and authorization controls can be used to control which users are able to access this cluster-level information.

Data Processing

Encryption of connection to Event Processing

Connections to Event Processing are secured using TLS. If you want to use your own CA certificates instead of those generated by the operator, you can provide them in the EventProcessing custom resource settings.

Encryption of connections within Event Processing

Internal communication between Event Processing pods is encrypted by default using TLS.