Addressing data privacy requests

The BMC Helix Integration Service solution provides capabilities that help administrators address the personal data protection and privacy requirements associated with the General Data Protection Regulation (GDPR). The GDPR is a set of rules and principles governing the handling of personal data of individuals located in the European Union (EU).

Important

This BMC document provides general information about the General Data Protection Regulation (GDPR) and GDPR key requirements. It is not intended to provide any legal advice. The GDPR can be found at https://ec.europa.eu/info/law/law-topic/data-protection_en. Under this regulation, any organization handling personal data of European Union residents, regardless of its location, needs to understand which GDPR requirements apply to its organization and accordingly devise a plan for adjusting its systems and processes and for educating its people. Although BMC is not in the business of data privacy compliance software, some features of the BMC Helix Integration Service solution can help customers meet some requirements of the GDPR. For more information about how BMC solutions can help achieve the requirements of the GDPR, see https://www.bmc.com/it-solutions/gdpr-compliance.html.

BMC and GDPR compliance Open link

Personal data in BMC Helix Integration Service

According to the GDPR, personal data includes any information that can identify an individual directly or indirectly. For example, the following data can be considered personal data: name, phone number, email address, IP address, government ID number, credit card numbers, and so on.

BMC Helix Integration Service stores personal data in databases and related files for an unlimited time period (until the data is deleted, modified, or anonymized).

Using the BMC Helix Integration Service Personal Data Privacy Utility

The data protection officer or the administrator can use the BMC Helix Integration Service Personal Data Privacy (PDP) Utility to respond to the data privacy requests and inquiries from individuals. Use the Personal Data Privacy (PDP) Utility to perform the following GDPR compliance activities:

Find personal data for an individual
Anonymize personal data for an individual

Important

To use the BMC Helix Integration Service Personal Data Privacy (PDP) Utility, you must have the administrator role.

Before you begin

Obtain the following information from the requester:
- User name
- Email address
- First name
- Last name
- Phone number
  Important
  The utility searches for a match between the data that the requester provides and the data that is stored in the BMC Helix Integration Service databases.
  - If an individual's personal data is stored in BMC Helix Integration Service, the matching data is returned in the response.
  - If an individual's personal data is not stored in BMC Helix Integration Service, no data is returned in the response. (The response is blank.)
Extract the pdp-util.zip file, and go to the command line in the directory where the extracted file is located.

To find personal data

Run the following script:
```
node pdp_util.js scan
```
In the console, follow the prompts to provide the following information:
- BMC Helix Integration Service tenant URL
- Administrator login
- Administrator password
- Requester data (user name, email address, first name, last name, and phone number)

If the utility finds matching personal data, you receive a response in the following format:

Records found with specified personal data:

Users:
Username = user username, Email = user email, First Name = user firstName, Last Name = user lastName, Phone = user phone

Accounts: 
Connector = app name, Username = profile username

Flows:
Title = flow title, Description = flow description

Comments:
User = comment user, Text = comment value

Conditions:
Field = field name, Value = field value

Mappings:
Field = target field name, Value = mapped matching text values

Configurations:
Connector = app name, Name = appConfig name, Description = appConfig description

Use the response text to create a file that you can send to the requester regarding their personal data storage.

To anonymize personal data

Warning

Do not anonymize active users. The action of anonymization is not reversible. If you remove an email by using the PDP Utility, the email owner will not be able to access and use the application.

If multiple users use the same email, and the email is anonymized, all instances of the email are removed for all users who share the email.

Run the following script:
```
node pdp_util.js remove
```
In the console, follow the prompts to provide the following information:
- BMC Helix Integration Service tenant URL
- Administrator login
- Administrator password
- Requester data (user name, email address, first name, last name, and phone number)
If anonymization is successful, you receive a blank response:
```
{  

}
```

After anonymization is completed, the personal data values are replaced by the value <Personal Data Removed> in different parts of the user interface, as shown in the following examples.

<Personal Data Removed> in the Users section

<Personal Data Removed> in the Accounts section

<Personal Data Removed> in the Flows section

<Personal Data Removed> in the Configuration section