HCL Workload Automation 10.1.0, HCL Workload Automation distributed - Agent for z/OS 9.4 considerations for GDPR readiness
Notice:
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of HCL Workload Automation that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws
and regulations, including the European Union General Data Protection Regulation.
Clients are solely responsible for obtaining advice of competent legal counsel as to
the identification and interpretation of any relevant laws and regulations that may
affect the clients’ business and any actions the clients may need to take to comply
with such laws and regulations.
The products, services, and other capabilities
described herein are not suitable for all client situations and may have restricted
availability. HCL Technologies does not provide legal, accounting, or auditing advice or represent or
warrant that its services or products will ensure that clients are in compliance with
any law or regulation.
Table of Contents
- GDPR
- Product Configuration for GDPR
- Data Life Cycle
- Data Storage
- Data Access
- Data Processing
- Data Deletion
- Data Monitoring
- Responding to Data Subject Rights
GDPR
General Data Protection Regulation (GDPR) has been adopted by the European Union (“EU”) and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Read more about GDPR
Product Configuration - considerations for GDPR Readiness
Offering Configuration
Configuration to support Data Security
- The product can be configured with custom certificates (the custom certificates are created and managed by the administrator).
- SSL Comunication among processes is configured by default at installation time. Custom certificates can be provided. If custom certificates are not provided, default certificates will be used. Using custom certificates is strongly recommended.
The following documentation paragraphs better explain the procedures:
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ad/awsadscenDWCagtdistconn.html
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ad/awsadservercommscen.html
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ad/awsadMDMDAcomm.html
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ad/awsadscenSSLnetwork.html
https://help.hcltechsw.com/workloadautomation/v101/distr/src_pi/awspicfgremcliSSL.html
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ad/awsadusingsslforedwa.html
Data Life Cycle
- Workload Definitions contain “description” free text field that can be filled in by the user.
- The product can be configured to enable Auditing Justification feature.
In this case, some free text fields are enabled and the users can insert information like justification for change and ticket number.
https://help.hcltechsw.com/workloadautomation/v101/distr/src_tsweb/General_Help/keepingtrack.html
- The offering works with the following downstream products:
- IBM Websphere Application Server Liberty base
- IBM DB2 v11.5 Standard Edition
- The offering involves “HCL Technologies” IP Partner and non-IBM entity.
Authentication data for physical users (user’s names and Windows passwords) are collected with the purpose:
- To authenticate users when using Command lines, Web Interfaces and APIs:
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ad/awsadwhereconfldap.html
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ad/awsadenterpwd.html
- To authenticate users when running jobs:
https://help.hcltechsw.com/workloadautomation/v101/distr/src_tsweb/General_Help/changepasswordinplan.html
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ref/awsrglocalvarsinjobdefs.html
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ref/awsrguserdefn.html
HCL Workload Automation clients can submit online comments/feedback/requests to contact HCL Technologies about HCL Workload Automation subjects in a variety of ways, primarily:
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the [HCL Technologies Online Privacy Statement] (https://www.hcltech.com/privacy-statement).
Data Storage
Data Access
- The Administrator can access personal data to grant or revoke access to specific users.
- The Administrator can access product logs and job logs.
Data Processing
Encryption at rest:
- A symmetric key to encrypt data is automatically generated when installing the product. A custom generated AES-256 key can also be used.
- Encryption at rest is performed. The database can also be encrypted for additional security.
Encryption in motion:
- Customers can specify their personal keys during the deployment. For further information, see the Readme file for HCL Workload Automation Version 9.5 Fix Pack 4
Data Deletion
Data Monitoring
- Core dumps can contain customer data
- Passwords are encrypted and never logged.
- Data and activities monitoring can be performed enabling auditing features:
https://help.hcltechsw.com/workloadautomation/v101/distr/src_ad/awsadauditoverview.html
- Logs can be enabled and managed using specific tools:
https://help.hcltechsw.com/workloadautomation/v101/distr/src_pi/awspilogfilestws.html
Responding to Data Subject Rights
- The product does not support the return of end-user data because data are only used internally by the product.
- The personal data are used for authentication purposes.
- Customer provided data in object definitions can be viewed and modified by the customer at any time.