GDPR and the Remedy technology
The Remedy product provides capabilities that help administrators address the personal data protection and privacy requirements associated with the General Data Protection Regulation (GDPR). The GDPR is a set of rules and principles governing the handling of personal data of individuals located in the European Union (EU)
This BMC document provides general information about the General Data Protection Regulation (GDPR) and GDPR key requirements. It is not intended to provide any legal advice. The GDPR can be found at https://ec.europa.eu/info/law/law-topic/data-protection_en. Under this new Regulation, any organization handling personal data of European Union residents, regardless of its location, needs to understand which GDPR requirements apply to its organization and accordingly devise a plan for adjusting its systems and processes and for educating its people. Although BMC is not in the business of data privacy compliance software, some of the features of the Remedy solution can help customers meet some requirements of the GDPR. For more information about how BMC solutions can help achieve the requirements of GDPR, see https://www.bmc.com/it-solutions/gdpr-compliance.html.
Digital business has led to a more complex enterprise IT infrastructure that includes physical, virtual, and cloud infrastructure encompassing mobile, distributed, and mainframe computing resources. To address the requirements of the GDPR, IT needs the ability to manage the visibility, integrity, security, and recovery of personal data across their on-premises, private cloud, and multiple public cloud environments. The GDPR also mandates that organizations have a provable process in place to ensure data integrity and that they implement the appropriate technical and organizational measures to support this mandate.
Key requirements for managing personal data
The data by which an individual can be identified personally is referred to as personal data . The GDPR mandates individuals to control and own their personal data. GPDR applies to the processing of personal data in the EU, regardless of whether the processing takes place in the EU. The following are the key requirements of the GDPR, but for more details, see https://www.eugdpr.org/:
If you are an administrator and responsible for addressing data privacy requests, see Addressing data privacy requests.
Personal data in Remedy components
Personal data includes name, phone number, email address, government ID numbers, locations, credit card numbers, IP addresses, and similar information that can identify an individual personally. This information comes from the user directly, from a database, or is imported from other external sources. Because the following Remedy components might have personal data, the GDPR requirements need to be considered:
- Remedy Action Request System
- Remedy IT Service Management Suite
- BMC HR Case Management
- BMC CMDB
- Remedy Single Sign-On
- Remedy with Smart IT
- BMC Digital Workplace
- Remedy Smart Reporting
Capabilities of Remedy for handling personal data
Remedy capabilities can help achieve some of the GDPR requirements, including those explained below:
Data protection: You can use access control, encryption options, and configuration settings to protect personal data. These options ensure that the personal data is properly encrypted and protected from being visible by unauthorized users . For more details, see Remedy features and settings for protecting personal data.
Consent: Consent is about whether an individual knows that personal data is being stored and processed. For more details, see Best practices for obtaining consent to storing personal data.
Right to access: A user can request a report of the personal data available within the organization that is connected to that user. For more details, see How the Personal Data Privacy utility helps addressing data privacy requests.
Right to be forgotten: A user can request removal of personal data stored in the organization that is connected to that user. In this case, the personal data of that user can be anonymized instead of being deleted. For more details, see How the Personal Data Privacy utility helps addressing data privacy requests.
Right to data portability: Before the personal data is anonymized, a user can request their data be exported into a portable and standard format such as .csv file format. For more details, see How the Personal Data Privacy utility helps addressing data privacy requests.
If you create or customize a form, you should consider data privacy key requirements mentioned in the GDPR.
Remedy features and settings for protecting personal data
Access Control and permissions
Using the access control features of Remedy, Permission Groups, Support Group Associations, and Support Group Functional Roles (permissions) can be assigned either by using templates or on an individual basis. For more details, see Defining people, permissions, and support groups.
For a secure deployment, an organization's security needs must be considered. These requirements might be internal, such as policies, or external, such as government-mandated regulations. Use the field level encryption option to achieve the following:
- Encrypt data for a particular field in the database.
- Assist with data protection requirement imposed by GDPR.
For more information, see Field Properties.
For protecting the personal data during transition between the browser and the mid-tier, the mid-tier must be configured to use https. For this, use the Mid-tier configured to use https configuration settings.
Additional configuration settings
Consider the following configuration settings to enhance the ability to support the data privacy requirements. If the data in the environment is such that these options are not required, you can omit them. However, using these optional settings can help achieve the data privacy requirements:
- Unicode: Configuring the servers to use the Unicode character set minimizes the issues of language compatibility. If you do not use Unicode, someone might enter data in other languages using characters that do not translate properly. In this case, the data cannot be searched.
- Enhanced encryption options: There are enhanced encryption options for data in transit that you can further configure.
- Disallow blank passwords: For additional security, use this option to prevent the use of blank passwords for login.
- User management features: For data in forms like the User Form, you can use the User management features of the system to define the maximum number of incorrect password attempts, define password change intervals, define password strength rules, and so on.
- Disallow guest users: Unless a system requires the ability for unknown users to log in to the system, configure the system to not allow guest or unknown users.
Best practices for obtaining consent to storing personal data
Technology alone does not make an organization compliant with the data privacy regulations. Using a combination of people, processes, and technology is the right approach to help an organization achieve data privacy compliance. That approach includes processes to obtain consent for storing and processing personal data.
- When users log a request for the first time, consent is obtained to store their name, phone, email, and so on
- Implied consent is obtained as an employee of an organization for a business function
- Consent in a service provider scenario where data is coming from external organizations, can be obtained as part of the service agreement
- During creation of a custom application where data is gathered , an explicit consent operation within the application can be created
- Consent Management applications can be used to manage consent at different levels.
How the Personal Data Privacy utility helps address data privacy requests
The Personal Data Privacy utility in Remedy is used for searching, reporting or anonymizing the personal data.
This utility helps in addressing data privacy requests for the following products:
- Remedy Action Request System
- Remedy with Smart IT
- Remedy Smart Reporting
The following figure and table explain the various forms that are available in the Personal Data Privacy utility, for Remedy Action Request System, to perform the personal data privacy operations:
This form allows Data Protection Officer or Remedy Administrator to fill in the information of an individual that has requested for a data privacy operation.
The form includes the fields JOB ID, Requester, Contact Info, Status, Job Name, and Lock Personal Data. You can use the Lock Personal Data option to preventing simultaneous access to the data connected with the requester.
This form is used to record the specific operation that the individual has requested to be performed on their personal. The operations are listed below:
Before performing the AR Extract, AR Forget, or AR Delete operation, you must perform the AR Search operation.
This form displays the search results of an operation.
This form is used to enter details of the data that can identify the requester. It allows the Data Protection Officer or Remedy Administrator to include the list of all the fields that can identify that individual.
For example, an address might be stored in multiple fields. In this case, those fields must be added to the Personal Data form.
This form is used to specify the names of forms or form fields in which the personal data must not be searched. For example, to prevent searching personal data from the Audit form, you must add the Audit form to the Exclusion List.
|This form is used to specify the names of forms or form fields in which the personal data can be searched.
Exceptions for handling personal data in Remedy integrations
When the data is owned by other products or tools and not copied into the Remedy environment, the other products or tools need to consider data processing and privacy. For example, see the following list for which customers are responsible might work with the other products or tools for searching, anonymizing, or extracting personal data:
- Data accessed through View forms
- Data accessed through Vendor forms
- Data in an AREA authentication source
- Data in an RSSO authentication source
- Data accessed by CMDB pull federation
- Data accessed by CMDB launch in context federation
- Data in a Digital Workplace Advanced catalog