• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • GDPR and IBM i: The Final Countdown

    May 2, 2018 Alex Woodie

    IBM i shops have just 24 days until the General Data Protection Regulation (GDPR) goes into effect. If you haven’t started your GDPR project yet, it’s likely too late to complete it by May 25. But a good faith start to a GDPR remediation effort could benefit you in the eyes of regulators, should you happen to cross their path. Here’s what IBM i shops need to know as the countdown to GDPR-ageddon continues.

    GDPR is a far-reaching law that governs how companies and other organizations are allowed to collect, process, and store data about European Union citizens, no matter where the citizens or entities exist in the world. For American firms, it basically puts an end to the “anything goes” style of data management, while for European firms, it’s a refinement and re-alignment of existing laws. Organizations caught violating the GDPR face fines upwards of 4 percent of annual revenues per incident. However, experts say the European Commission is expected to pick on American Web giants first, so small and midsize IBM i shops who do business with EU citizens have some time to clean up their data act.

    You can read the entire GDPR regulation at gdpr-info.eu. With 173 recitals across 99 articles, it’s a long read (even for those used to reading TPM), so for brevity’s sake, we’ve sought the advice of experts who can interpret the laws for us.

    “The purpose of the regulations is not to make it more difficult for businesses to sell, market, or perform any of their normal business functions,” writes Nabeena Mali in a blog on the AppInstitute. “Instead, it is designed to give individuals greater control over who collects and processes their personal data, what it is used for, and how it is kept safe.”

    The law differentiates between two types of organizations: controllers and processors. Controllers are any organizations that determines how to process personal data. They’re responsible for collecting consent, controlling access to data, and managing requests from citizens. Processors, on the other hand, are any organizations that process personal data on behalf of the controller.

    GDPR also differentiates between personal data and sensitive personal data, according to Mali. Personal data is any information which makes it possible to identify an individual, either directly, or indirectly. Examples of personal data includes names, identification numbers, location data, and online identifiers.

    Sensitive personal data, on the other hand, covers an expanded scope of specific factors, Mali says, including elements of their physical appearance, physiology, genetics, mental health, economic, cultural, or social identity. “The collection and processing of sensitive personal data is not allowed, except under very specific circumstances, with additional requirements in terms of data safety,” she writes.

    EU citizens must grant specific consent for companies to store their personal or sensitive personal data. Common business practices, such as blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions, are no longer valid. Plus, citizens must be able to easily withdraw consent.

    GDPR gives citizens certain rights, according to Mali, including:

    • The right to be informed, which allows citizens to know who is processing their data and how it will be used.
    • The right of access, which allows citizens to request confirmation that data is being collected and also to obtain a copy of all of it.
    • The right to rectification, which gives citizens the ability to fix inaccurate data and to send corrected data to any third-parties.
    • The right to erase, which allows citizens to request deletion of data when there’s no longer a legitimate reason to have it.
    • The right to be restrict processing, which allows citizens to ask companies to stop processing the data, but not stop storing it.
    • The right to data portability, which gives citizens the right to get copies of data from companies.
    • The right to object, which gives citizens other unnamed reasons to request an end to processing of their data.

    The practical implications of GDPR for IBM i shops – or any company facing compliance, for that matter – are wide and varied. For starters, GDPR mandates that the organization has the capability to protect data. Controllers must have ways to prevent data from being stolen, from being viewed by an unauthorized person, or being used outside of the scope of consent.

    The GDPR also mandates that organizations ensure the privacy and confidentiality of data, which assumes some form of access control and authentication. Organizations are required to keep logs of their GDPR-related activities, which assumes some type of monitoring and auditing system. There must also be documentation of security settings and policy.

    Except for encryption and pseudonymization, the GDPR doesn’t tell organizations what technologies they must use to achieve these ends, according to Becky Hjellming of Syncsort (Vision Solutions). “Every organization is expected to make a reasonable determination of what data protection measures they need to take given the nature of the data they handle,” Hjellming writes in “IBM i Security and GDPR,” a slideshow on SlideShare.

    With that said, the GDPR requirements seem to map fairly well to established IBM i security and auditing tools and techniques. For starters, IBM i shops should be familiar with management of object authorities on their IBM i system. They also must exhibit the capability to control remote access via network protocols, SQL, and other methods, Hjellming writes. And they must have strong authentication via passwords or multi-factor authentication methods, she writes.

    Figure 1: How GDPR requirements map to enterprise security functions. (Source: Enforcive)

    Enforcive, the IBM i security vendor that was recently acquired by Syncsort/Vision, put together a fairly comprehensive guide to GDPR compliance for IBM i shops. In “Supporting GDPR on the IBM i,” the company assembled a table that maps GDPR requirements to specific enterprise security functions (see Figure 1).

    Rocket Software says its lifecycle management software for IBM i can be used to track and govern access rights to data across development, test, and production systems, as put forth in GDPR Article 5. It also says its Rocket Aldon Lifecycle Manager IBM i Edition (LMi) can help with Article 25, which covers data protection by design and by default, as well as Article 32, which governs secure processing.

    Raz-Lee Security recently launched a new tool that can help IBM i shops with compliance. Its Data Discovery for GDPR & PCI tool helps IBM i shops find data that could be covered under the GDPR. We covered this product in this newsletter two weeks ago.

    Townsend Security, which develops database encryption solutions for IBM i and other servers, is also following the GDPR with interest. Patrick Townsend, the company’s founder, recently wrote a blog post discussing the ramifications of the GDPR’s new encryption mandate.

    “Most companies will use encryption to meet GDPR privacy requirements, and will be deploying encryption key management to protect the keys,” Townsend writes. “The hardest part of getting encryption right has to do with creating, protecting, and deploying encryption keys. It is probably the hardest part of getting an encryption strategy right – and there are a lot of ways to get key management wrong.”

    Townsend says encryption technology can actually be used to help comply with the GDPR’s Right to Erasure (sometimes called the Right to be Forgotten, although that’s a bit of a misnomer). According to Townsend, if each EU citizen’s data is protected with a unique encryption key, then that data can effectively be erased by destroying the encryption key.

    “Rather than go through every database table and storage server to delete the data, you could just delete the encryption key,” Townsend writes. “Assuming you have strong encryption keys and industry standard key deletion processes, the deletion of the key is an effective way to zero the protected data without actually modifying the database. Data that is encrypted is unrecoverable if the key is no longer available.”

    RELATED STORIES

    GDPR Data Discovery On Tap from Raz-Lee

    GDPR Deadline Looms for IBM i Shops

    On Your IBM i Radar Now: GDPR

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: GDPR, IBM i

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    LaserVault Puts the ‘i’ in VTL Survey Paints a Picture of IBM i Community, Product Usage

    2 thoughts on “GDPR and IBM i: The Final Countdown”

    • Greg W says:
      May 2, 2018 at 1:21 pm

      OK. Great explanation, except to whom does this apply? If the only thing we have on our servers are names and addresses for purposes of shipping, does this apply to that? Names, addresses and telephone numbers are basically common knowledge. Can someone define where this ends?

      Reply
    • Anon says:
      May 15, 2018 at 3:07 am

      https://gdpr-info.eu/ is not the official EU site to find the GDPR. It is a third party site. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG or http://eur-lex.europa.eu/eli/reg/2016/679/oj bring you to the text on EUR-Lex, published by the Publications Office of the European Union.

      Reply

    Leave a Reply Cancel reply

TFH Volume: 28 Issue: 33

This Issue Sponsored By

  • ARCAD Software
  • Maxava
  • ASNA
  • Software Concepts
  • COMMON

Table of Contents

  • Survey Paints a Picture of IBM i Community, Product Usage
  • GDPR and IBM i: The Final Countdown
  • LaserVault Puts the ‘i’ in VTL
  • Four Hundred Monitor, May 2
  • IBM i PTF Guide, Volume 20, Number 17

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25
  • Meet The Next Gen Of IBMers Helping To Build IBM i
  • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
  • Will Independent IBM i Clouds Survive PowerVS?
  • Now, IBM Is Jacking Up Hardware Maintenance Prices
  • IBM i PTF Guide, Volume 27, Number 24

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle