Imagine as a business that you were given the opportunity to grow turnover by 4%, at a stroke, or to increase revenue by €20 million. This would be certainly a key focus area. Well, there is good news and bad news, because these figures are accurate, and can apply to your business, but they are fines that will be applied to your business if you are in breach of the GDPR regulations that will be enforced in May 2018. And your business will be liable for whichever is the greater amount. As such, it is a subject that demands attention. And it can apply to any business if it concerns the personal data of EU citizens, even if your business is not based in the EU.
GDPR is a complex piece of legislation, and not one that can be solved through any one single act or solution. It requires understanding of the legislation, and then a thorough review of existing governance and processes, especially those involved in data handling and security, and ensuring that all people involved in all these aspects are aware of changes being made, and why these are important and must be complied with.
Amongst the key criteria for GDPR compliance are a number of aspects that are likely to need to be reflected in the choices made in MQ deployment to help to meet the compliance needs. However, it must be understood that taking this action around MQ alone will not achieve GDPR compliance, but simply be a part of that compliance.
Given that GDPR is concerned with data protection, it should be clear that data privacy is key in reaching compliance. This isn’t the only aspect, as there are multiple additional aspects such as the ‘right to be forgotten’ providing a requirement to remove data, and also the need to track the movement of data through all systems. Considering all these aspects together, it should be clear that reducing the movement of data to modes of transport that allow for end to end encryption, as well as logging, reporting and monitoring for the movement of data are likely to be seen as essential to aid in GDPR compliance.
Steps that you can take to help demonstrate your MQ environment is helping your business comply with GDPR regulations:
- As well as using authentication and authorization to secure your MQ system, end-to-end encryption is available as part of MQ Advanced and MQ Appliance to supplement this
- Using end-to-end encryption could be the only way to protect personal data wherever in the organization it moves, as it moves as it reduces the need to ensure control of all intermediate systems to protect the data.
- End-to-end encryption can help to demonstrate privacy by design as part of your compliance verification process.
- IBM MQ can be configured to log all messages and accesses which can be used to track all movement of data, and who had access to it.
- Making use of the tools available with IBM MQ to monitor and report on message movement can be an essential part of good data governance
- Building new tools using the REST API for MQ admin to offer a custom view of MQ configuration and operation could be a critical aspect of generating reports on data movement and protection.
- Holding personal data in files is widespread in many businesses
- Holding and moving those files around your business could add further vulnerabilities.
- File data needs to be handled and managed with the same care as application data as it is just as likely to be personal data that needs to be protected.
- As part of the MQ Advanced and MQ Appliance entitlement, businesses can move file data securely, and with monitoring and tracking, through the MQ network, helping to meet GDPR compliance without additional complexity
As mentioned at the start, there is no single solution that can address all the aspects of GDPR within your business. Ensuring your MQ environment is configured to securely move data with end to end encryption, with comprehensive logging and reporting of messaging access and movement can be a critical step in the wider compliance task.
Work with your IBM representative to ensure you hear more about the benefits of MQ Advanced entitlement to allow your business to move file data and to encrypt messages and data end to end, and thus reduce the risk of data being exposed in a security breach. Or review whether the MQ Appliance would be a good fit for your business, providing the same benefits in end to end encryption and file data movement.
Read more about MQ Advanced here: https://www-03.ibm.com/software/products/en/ibm-mq#othertab3
Read more about the MQ Appliance here: https://www-03.ibm.com/software/products/en/ibm-mq#othertab4
For additional information about how IBM can help you with GDPR see here: https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation/
Tags: data protection, encryption, end to end encryption, File transfer, GDPR, IBM MQ, IBM MQ Advanced, IBM MQ AMS, IBM MQ Appliance, managed file transfer, MQ Managed File Transfer
Leifdavidsen's Blog 
October 27, 2017 at 4:17 pm
Hi Leif!
Thank you for an interesting article.
You say in your article that “IBM MQ can be configured to log all messages and accesses which can be used to track all movement of data”.
As far as I know, this is not possible. The only way I know to be able to do this is to buy third party software.
I would appreciate if you could share some specific information or link that shows how it’s done.
Regards
Raul
October 31, 2017 at 12:11 pm
[…] What is GDPR and how does it affect IBM MQ use? […]
December 15, 2017 at 5:00 am
“Hello,
July 11, 2018 at 10:16 am
[…] data seriously. The headlines recently around this have been driven by the deadline date for the EU’s GDPR. But honestly protecting your own data, as well as customer information should have been essential […]
June 25, 2020 at 4:12 pm
[…] ESB’s and Messaging (including MQ and FTP – also see Leif Davidsen’s blog) […]