IBM Collaboration Solutions Readiness for GDPR IBM Corporation

Transcription

1 IBM Collaboration Solutions Readiness for GDPR

2 Disclaimer Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion. regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 4

3 An Introduction to GDPR

4 $7.8B is how much Global 500 companies will spend on GDPR compliance Financial Times, Companies face high cost to meet new EU data protection rules 6 6

5 GDPR enforcement begins on May 25, 2018 What is the purpose of this new regulation? Unify data protection across the 28 EU Member States Enhance the level of personal data protection for EU data subjects Simplify the regulatory environment for international business Modernize regulations in line with existing and emerging technologies It s likely that GDPR will fundamentally change the way organizations manage their people, policies, processes and technologies 7

6 Six key things you need to know about the GDPR 1 GLOBAL IMPACT Any organization anywhere that handles personal data of EU data subjects 2 DATA SUBJECT RIGHTS Significant enhancements put control into the hands of data subjects 3 UP TO 4% OF GLOBAL ANNUAL TURNOVER OR UP TO 20M Potential fines for non-compliance, whichever is greater 4 PRIVACY BY DESIGN Must be embedded by default into new products, systems and services 5 72-HOUR BREACH NOTIFICATION In the event of a data breach, regulators need to be notified in 72 hours 6 TOMs (TECHNICAL AND ORGANIZATIONAL MEASURES) What you have to implement in response to identified risks 8

7 Are you a data controller, a data processor or both? I m a data controller if I collect, use, share, transfer or otherwise manage personal data Example: I m a bank that is responsible for the privacy and security of my customers data My responsibilities include: Mapping data end-to-end so I know where it is, either within or outside of my organization Determining the Technical and Organizational Methods (TOMs) required to keep that data safe, and providing them to any processors I use Auditing my processors to make sure TOMs are followed I m a data processor if I am a third party who in some way handles data on behalf of a controller Example: I process, print and mail monthly statements on behalf of my customer, the bank that controls the data My responsibilities include: Agreeing to a binding contract with the controller Handling data and doing business in accordance with the TOMs provided by the controller Demonstrating compliance with TOMs and GDPR obligations, including security, privacy and breach notification 9

8 GDPR provides an enhanced level of protection for data subjects Higher standards for privacy policies and statements and for obtaining consent Easier access to personal data by a data subject Enhanced right to request the erasure of their personal data Right to transfer personal data to another organization (portability) Right to object to processing now explicitly includes profiling The definition of personal data includes virtually anything that identifies an individual, and now explicitly includes: 1. online identifiers 2. location data 3. biometric/genetic data Which do you collect? 10

9 IBM s Journey to GDPR Readiness

10 IBM s Journey to GDPR Readiness 12

11 Our GDPR Readiness Programme GDPR Programme Management Office IBM as a Data Controller IBM as a Data Processor IBM GDPR Common Services IBM Vendor Management IBM Client & Contract Management GDPR Go-To- Market Mission: Address IBM s obligations for managing internal data. Mission: Ensure compliance and governance for all IBM offerings and services that process personal data. Mission: Deploy enterprise tools and common services to facilitate GDPRrelated policy, system and business process changes. Mission: Align our supply chain to the upstream obligations we make to our clients and to our internal responsibilities. Mission: Help make the client buying process GDPR ready. Mission: Create a unified GDPR solution to help our clients with their GDPR readiness programmes. 13

12 The IBM GDPR Framework Phase Assess Design Transform Operate Conform Activity Conduct GDPR risk and privacy assessments across governance, people, processes, data, security Develop GDPR Readiness Roadmap Identify and map personal data Design governance, training, communication and process standards Design privacy, data management and security management standards Develop and embed procedures, processes and tools Deliver GDPR training Develop and embed standards and policies using Privacy by Design, Security by Design Detailed Data Discovery Execute relevant business processes Monitor security and privacy using TOMs Manage consent and data subject access rights Monitor, assess, audit, report and evaluate adherence to GDPR standards Outcome Assessments and roadmap Defined implementation plan Process enhancements completed Operational framework in place Ongoing monitoring and reporting Identify GDPR impact and plan Technical and Organisational Measures (TOMs) Includes Data Protection controls, processes and solutions to be implemented TOMs in place: Personal Data discovery, classification and governance in place Begin the new GDPR ready way of working Monitor TOMs execution: deliver compliance evidence to internal and external stakeholders 14

13 Assess Projects for Fortune 750 Companies 60+ countries 100 years of collective experience Text or image 15

14 Design Text or image 16

15 Transform Phase 1: Data & Risk Classification High Level Assessment Phase 2: Detailed Assessment & Priority Data Remediation Phase 3: Operationalise GDPR Capabilities Regulatory Response Dashboard Privacy Risk Assessments Data Maps Data Sources Discovery Data Catalogues Detailed Data Discovery Initial Record of Processing Priority Data Remediation Cognitive Analytics Solutions Contract Management Customer Portal Vendor Repository & Workflow Compliance Validation Consent Management Data Subject Access Requests Incident Response Data Remediation 17

16 Operate Text or image 18

17 Conform Text or image Text or image 19

18 IBM Collaboration Solutions

19 Contents IBM Collaboration Solutions and GDPR Readiness Individual Rights to Data for Cloud Offerings IBM Cloud Services Contractual Framework IBM Collaboration Solutions Services Description Updates 21

20 IBM Collaboration Solutions and GDPR Readiness IBM is committed to GDPR readiness across IBM Collaboration Solutions by May 25 th Each IBM Collaboration Solution cloud offering has been assessed and is being updated to support GDPR Readiness by following the IBM GDPR Readiness Framework. Those offerings will : provide the ability to search for personal data provide the ability to correct an error in personal information provide a method to delete or anonymize personal information provide a method to export personal information In addition, our contractual commitments are being updated to support GDPR readiness 22

21 Responsibilities as Data Controller and Data Processor - Examples Offering Name Cloud Offerings Data Controller (collects, uses, shares, transfers or otherwise manages personal data ) Data Processor (third party who in some way handles data on behalf of a controller) IBM Watson Workspace Customer IBM Box Relay Customer IBM IBM Connections Social Customer IBM IBM Connections Engagement Center Customer IBM) IBM Verse/SmartCloud Notes Customer IBM IBM Connections Cloud Chat Customer IBM IBM Connections Cloud Meetings Customer IBM Trial/Preview Offerings in Cloud IBM Watson Workspace Preview IBM IBM IBM Connections Cloud S1 Trial IBM IBM IBM Connections Social Trial IBM IBM On-Premise Offerings IBM Notes/Domino/Verse On-Premise Customer Customer IBM Connections Customer Customer IBM Sametime Customer Customer 23

22 Individual Rights to Data Target for May 25 th 2018 Offering Name Search for Personal Correct Personal Delete/Anonymize Personal Export Personal IBM Watson Workspace Box Relay IBM Connections Social IBM Connections Engagement Center IBM Verse/SmartCloud Notes IBM Notes/Domino/Verse On-Premise IBM Connections Cloud Chat IBM Connections Cloud Meetings 24

23 Individual Rights to Data IBM Watson Workspace Approach Delivery Mechanism Search for Personal Correct Personal Delete/Anonymize Personal Export Personal 1. Searching for PI used and collected as part of Watson Workspace is IBM responsibility 2. Searching for PI in conversations and files is the responsibility of the business owner 1. Correcting PI used and collected as part of Watson Workspace is IBM responsibility 2. Correcting PI in conversations and files is the responsibility of the business owner 1. Deleting PI used and collected as part of Watson Workspace is IBM responsibility 2. Deleting PI in conversations and files is the responsibility of the business owner 1. Exporting PI used and collected as part of Watson Workspace is IBM responsibility 2. Exporting PI in conversations and files is the responsibility of the business owner 1. Ticket opened with support which is handled manually by Watson Work 2. New search functionality in Watson Workspace and Work Services 1. Ticket opened with support which is handled manually by Watson Work 2. New search & edit functionality in Watson Workspace and Work Services 1. Ticket opened with support which is handled manually by Watson Work 2. New search & delete functionality in Watson Workspace and Work Services 1. Ticket opened with support which is handled manually by Watson Work 2. New search & export functionality in Watson Workspace and Work Services 25

24 Individual Rights to Data Box Relay Approach Delivery Mechanism Search for Personal Correct Personal Delete/Anonymize Personal Export Personal Searching for Personal used and collected as part of Box Relay Searching for Personal in workflow contents of Box Relay Correcting Personal used and collected as part of Box Relay Correcting Personal in workflow contents of Box Relay Deleting Personal used and collected as part of Box Relay Deleting Personal in workflow contents of Box Relay Exporting Personal used and collected as part of Box Relay Exporting Personal in workflow contents of Box Relay Available via ticket opened with support Available via new search functionality in Box Relay Available via ticket opened with support Available via new search & edit functionality in Box Relay Available via ticket opened with support Available via new search & delete functionality in Box Relay * Available via ticket opened with support Available via new search & export functionality in Box Relay 26

25 Individual Rights to Data IBM Connections Social, IBM Engagement Center Approach Delivery Mechanism Search for Personal Correct Personal Delete/Anonymize Personal Export Personal To allow users to find places where their name might be associated - the user can do a search (my content). IBM is also implementing a role called Connections Auditor (already available in private cloud) which will allow a 'functional user' to search through the system to find any content regardless of access. This user can search the content, but cannot otherwise interact with the content if they do not have access. Personal can be updated to correct or anonymize via a change to the users profile record. When the profile record is changed, that change will be applied to all the user information stored. Content can be deleted by the initial creator of the content or an organizational administrator. To selectively change the author of content, the customer would need to export via API and recreate as another user. The user or an administrator can print and/or Safe as PDF on any Connections content Available via existing Feature AND new role to be created within IBM Connections Update user record : self-service Edit/delete content: self-service Update authorship of content on cloud: orgadministration task to entirely anonymize the user Self-service 27

26 Individual Rights to Data IBM Verse/SmartCloud Notes Approach Delivery Mechanism Search for Personal Correct Personal Delete/Anonymize Personal A mechanism exists for an Administrator to set access controls on a user s mail file that will allow an Administrator or delegate, to view and search all user s mail files where the ACL is set to allow access. The admin then is able to search a specific users mail file using the notes client User Interface for Search. Alternatively Verse can also be used to search User Account.. If the proper access and edit rights have been assigned to a user for a specific mail file, they can delete, change or anonymize the exiting information using Notes Client on an individual . If the proper access and edit rights have been assigned to a user for a specific mail file, they can delete, change or anonymize the exiting information using Notes Client on an individual . Available via existing Capability Available via existing Capability Available via existing Capability Export Personal If the proper access and edit rights have been assigned to a user for a specific mail file, they can export s and documents. Available via existing Capability 28

27 Individual Rights to Data IBM Notes/Domino/Verse On-Premise Approach Delivery Mechanism Search for Personal Correct Personal Delete/Anonymize Personal A mechanism exists for an Administrator to set access controls on a user s mail file that will allow an Administrator or delegate, to view and search all user s mail files where the ACL is set to allow access. The admin then is able to search a specific users mail file using the notes client User Interface for Search. Alternatively Verse can also be used to search User Account.. If the proper access and edit rights have been assigned to a user for a specific mail file, they can delete, change or anonymize the exiting information using Notes Client on an individual . If the proper access and edit rights have been assigned to a user for a specific mail file, they can delete, change or anonymize the exiting information using Notes Client on an individual . Available via existing Capability Available via existing Capability Available via existing Capability Export Personal If the proper access and edit rights have been assigned to a user for a specific mail file, they can export s and documents. Available via existing Capability 29

28 Individual Rights to Data IBM Connections Cloud Meetings Approach Delivery Mechanism Search for Personal Correct Personal Delete/Anonymize Personal Export Personal 1. Searching for PI used and collected as part of IBM Cloud Meetings is IBM responsibility 2. Searching for PI in a user s Cloud meeting room data, meeting recordings or files shared in meetings is the responsibility of the business owner 1. Correcting PI used and collected as part of IBM Cloud Meetings is IBM responsibility 2. Correcting PI in meeting recordings and files shared in Meetings is the responsibility of the business owner 1. Deleting PI used and collected as part of IBM Meetings is IBM responsibility 2. Deleting PI in meeting recordings and files shared in Meetings is the responsibility of the business owner 1. Exporting PI used and collected as part of IBM Meetings is IBM responsibility 2. Exporting PI in meeting recordings and files shared in meetings is the responsibility of the business owner 1. Searching for PI in a user s Cloud account is an existing capability for the Org Admin 2. Searching for PI in log files or the meetings database would require opening a support ticket and be handled manually by the Ops team 1. Correcting PI in a user s Cloud account is an existing capability for the Org Admin 2. Correcting PI in log files or the meetings database would require opening a support ticket and be handled manually by the Ops team 1. Deleting PI in a user s Cloud account is an existing capability for the Org Admin 2. Personal information that is collected in Connections Cloud Meeting log files and meeting actions stored in the database will recycle so information will be automatically removed 3. Deleting PI in log files or the meetings database prior to the automatic deletion would require opening a support ticket and be handled manually by the Ops team 1. Exporting PI in a user s Cloud account is an existing capability for the Org Admin 2. Exporting PI in log files or the meetings database would require opening a support ticket and be handled manually by the Ops team 30

29 Individual Rights to Data IBM Connections Cloud Chat Approach Delivery Mechanism Search for Personal Correct Personal Delete/Anonymize Personal Export Personal 1. Searching for PI used and collected as part of IBM Cloud Chat is IBM responsibility 2. Searching for PI in conversations and files shared in Chat is the responsibility of the business owner as IBM service does not retain. 1. Correcting PI used and collected as part of IBM Cloud Chat is IBM responsibility 2. Correcting PI in conversations and files shared in Chat is the responsibility of the business owner as IBM service does not retain. 1. Deleting PI used and collected as part of IBM Chat is IBM responsibility 2. Deleting PI in conversations and files shared in Chat is the responsibility of the business owner as IBM service does not retain. 1. Exporting PI used and collected as part of IBM Chat is IBM responsibility 2. Exporting PI in conversations and files shared in chat is the responsibility of the business owner 1. The only personal information that is collected in Connections Cloud Chat is in log files and related to contact lists. Log files roll over. 2. Search for PI in a log file or contact list would require opening a support ticket and be handled manually by the Ops team 1. Personal information for a Chat user can be updated or corrected by the user or by an Org admin in the users profile. This is existing functionality in Connections Cloud 2. Correcting information in another users contact lists would require a PMR to have Ops update a DB 1. Personal information in the user s profile can be deleted or modified 2. Personal information related to contact lists would require opening a support ticket and be handled manually by the Ops team. 3. The only other personal information that is collected in Connections Cloud Chat is in log files which recycle so information will automatically be removed. 1. Export of PI in a log file or Contact list would require opening a support ticket and be handled manually by the Ops team. 31

30 IBM Connections Cloud Software as a Service Contractual Approach 1 2 Data Security & Privacy Principles (DSP) 4 Data Processing Addendum (DPA) Existing New Updates 6 Customer Notifications DPA Exhibits (Data Sheets) 3 5 Customer Contract Portal (2Q18) Base Terms (IBM Client Relationship Agreement, IBM Cloud Services Agreement, IBM Passport Advantage Agreement ) Updated Service Descriptions** 32

31 IBM Connections Cloud Service Description Section 3 updated with terms for Content and Data Protection : Content and Data Protection The Data Processing and Protection Data Sheet (Data Sheet) provides information specific to the Cloud Service regarding the type of Content enabled to be processed, the processing activities involved, the data protection features, and specifics on retention and return of Content. Any details or clarifications and terms, including Client responsibilities, around use of the Cloud Service and data protection features, if any, are set forth in this section. There may be more than one Data Sheet applicable to Client s use of the Cloud Service based upon options selected by Client. IBM will update Data Sheets as required when changes are made to the Cloud Service. The Data Sheet may only be available in English and not available in local language. Despite any practices of local law or custom, the parties agree that they understand English and it is an appropriate language regarding acquisition and use of the Cloud Services. The following Data Sheet(s), as may be modified by IBM, apply to the Cloud Service and its available options. Please access Service Description online for most current version : 33

32 Links to Additional General IBM s GDPR Readiness Journey Contracts and Agreements Cloud Service Agreement IBM Passport Advantage Agreement Client Relationship Agreement Data Processing Addendum IBM Connections Cloud Service Description IBM Online Privacy Statement 34

33 35