Default language.

Addressing data privacy requests

As a Data Protection Officer or Remedy Administrator, you can handle data privacy requests that are raised by an individual.

Handling data privacy requests in the AR System database

When an individual logs a data privacy request, the Data Protection Officer or Remedy Administrator needs to act on the request by searching, extracting, or anonymizing the personal data connected to that individual. The following procedure explains how to use the AR System Personal Data Privacy (PDP) utility for performing any of these operations: 

Before executing a PDP operation, you must take back-up of the database.


  1. In Remedy with IT Service Management, select Applications > Personal Data Privacy, click the PDP Job Console form, and create a job.
  2. Enter the details of the requester, and then in the Personal Data tab, click Add.

  3. Personal Data refers to the string that is searched in the database. Enter values in the Personal Data Label and Personal Data fields.

    Example

    For example, to search for mmann@calbroservices.com, where mmann@calbroservices.com is the email address, enter Email Address in the Personal Data Label field and mmann@calbroservices.com in the Personal Data field.

    The Replace with field is auto-populated with a string. When the AR Forget operation is executed, the Replace with string replaces the string entered in the Personal Data field.

  4. Click Add.
    You can add multiple Personal Data strings in a job for a requester.

  5. Click Lock Personal Data to lock the data connected to the requester.

    You can use the Exclusion List or Inclusion List forms. For more details, see Considerations.

  6. From the Operations tab, select an operation and click Execute.
    When the anonymize operation is completed, the message is displayed describing the number of records that are anonymized or failed to anonymize. You can make required changes in the search results and run the operation again for the failed records.

    PDP_SS.PNG

    • There might be personal data that is not connected to the user that has requested data privacy request. In this case, examine and modify the search result report to include the personal data that is connected to the user.
    • It is recommended that you run the utility for one individual at a time and you provide all the possible personal data within the same job to anonymize. This approach will produce the optimal number of records to review for the search result of the requester.
    • It is highly recommended that you anonymize or delete all the personal data for an individual in a single operation. Partial anonymization or deletion of personal data for an individual might cause data inconsistencies in the database and that might result in errors within the database.

Various statuses in Personal Data Privacy utility

The following list explains various statuses that are displayed across the different phases of the Personal Data Privacy utility.

Status

Description

New

Initial status that is assigned automatically when a job is created

Waiting for personal data

Personal data is not yet added after the job is created

Ready for Search

Personal data is filled and the utility is ready for search operation

Performing Search

Utility is searching for personal data

Performing operation

Extract or anonymize operation is in progress

Successful

Operation is successfully completed for all the selected records

Failed

Operation is not completed for all of the selected records due to some errors in the data

Handling data privacy requests in the Smart IT database

When the Personal Data Privacy (PDP) utility, located in the <Installation directory>\BMC Software\Smart_IT\SmartITCustomizationUtil\password-encryption-<version>-BUILD-SNAPSHOT.zip runs on the User or People form for anonymizing the Login Name field for a requester, the Smart IT database needs to be updated with the anonymized string. For this, update the Remedy Administrator must configure the server name and other details that are described below:

  1. Double-click to open the PDP utility
    (Windows): PDPU_SmartIT_DB_Tool-9.1.05-SNAPSHOT\scripts\win\smartit_pdpu_tool.bat
    (Linux): PDPU_SmartIT_DB_Tool-9.1.05-SNAPSHOT\scripts\linux\smartit_pdpu_tool.sh
  2. The Data Protection Officer or the Remedy Administrator must use the following command to encrypt the password for SmartIT database:
    Command in Shell mode: pdpu-encrypt-password <your password>You can refer the following figure:EncryptPassword.PNG

  3. Open PDPU_SmartIT_DB_Tool-9.1.05-SNAPSHOT\scripts\win\..\..\config\application.yml in a text editor and update the database connection details as described in the following table:

    Field

    Value

    driver - class - name

    Enter the name of the database

    url

    Enter the URL to access database

    username

    Enter the user name that has the permissions to update database

    password

    Paste the encrypted password that is copied from step 2 in the syntax: ENC(xxxxxxxxxxxxxxxxxxxxxxxx)

    tenantid

    Enter tenantID between the double quotations

Handling data privacy requests in Smart Reporting

The user sync utility creates jobs to synchronize Smart Reporting database with the updates that are made in the BMC Remedy AR System User and People forms. When an operation is performed on these forms, a corresponding job is signaled to be executed at a scheduled time, for a customer. The job schedule is controlled by the escalation that executes in every 12 hours, and checks for synchronization requests. This user sync utility helps updating Smart Reporting database for data privacy requests. 

Considerations

Consider the following points while executing a request for a data privacy operation:

  • You should configure the list of forms in the Exclusion List or the Inclusion List.
  • The Exclusion List form is used to specify the names of forms in which the personal data must not be searched. For example, to prevent searching personal data from the Audit form, you must add the Audit form to the Exclusion List.
  • The Inclusion List form is used to specify the names of forms in which the personal data must be searched.
  • If a form is added to both the Exclusion List and the Inclusion List, the Exclusion List takes precedence over the Inclusion List.
  • The personal data is searched in all the forms when the Exclusion List or Inclusion List are not configured.
  • Before executing AR Extract or AR Forget operations, you must execute an AR Search operation. If you select any operation other than Search, an error is displayed.
  • Personal data is not searched inside an attachment.
  • Personal data in the Last modified by field is not anonymized.
  • A data privacy operation is not reversible. Before executing the AR Forget operation, you must ensure that the entered information string is correct.

Frequently asked questions about the PDP utility

What if an organization is not established in the EU?

The GDPR applies to the processing of personal data of EU residents, regardless of the location of the organization processing such personal data.

Does the PDP utility search personal data inside attachments?

No, as of now.

Who can run the PDP utility? Does it require any special permissions to execute a PDP operation?

The Remedy Administrator or PDP Administrator of Remedy can run the PDP utility.

Can I pause a PDP operation and continue later?

No, as of now.

Can I cancel a PDP operation?

No, as of now.

What does the Lock Personal data button do?

The Lock Personal data button is used to prevent for simultaneous access to the data that is connected to an individual. The personal data must be locked to perform an operation in the PDP utility. Additionally, locking personal data option gives an opportunity to the administrator to verify the personal data as the data can not change once it is locked.

How do I use PDP utility for multiple people?

This is usually a request-driven operation. An individual wants to know about stored personal data that is connected to that individual, or requests to be forgotten. This utility helps companies to address such requests for personal data stored in the Remedy solution.

Is the utility available in Remedy OnDemand too?

Yes, the utility is also available for Remedy as a Service installations.

Can multiple data privacy jobs run at a time?

It is not recommended to run multiple data privacy jobs in parallel. The jobs can be run from the job console only.

Is it possible to create a workflow to fill the replacement configuration table in first tab?

Native AR platform capabilities can be used with the forms for PDP utility. 

If an ex-employee is re-hired in an organization, can the data be reverted back?

There is no built-in revert function. Once anonymized, data cannot be reverted.

Related topics

Failed to execute the [excerpt-include] macro.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*