LoopBack considerations for GDPR readiness.

Notice:

This document is intended to help you in your preparations for GDPR readiness.It provides information about features of LoopBack that you can configure, andaspects of the product’s use, that you should consider to help your organizationwith GDPR readiness. This information is not an exhaustive list, due to the manyways that clients can choose and configure features, and the large variety ofways that the product can be used in itself and with third-party applicationsand systems.

Clients are responsible for ensuring their own compliance with various lawsand regulations, including the European Union General Data ProtectionRegulation. Clients are solely responsible for obtaining advice of competentlegal counsel as to the identification and interpretation of any relevant lawsand regulations that may affect the clients’ business and any actions theclients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are notsuitable for all client situations and may have restricted availability. IBMdoes not provide legal, accounting, or auditing advice or represent or warrantthat its services or products will ensure that clients are in compliance withany law or regulation.


Table of Contents


GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union(“EU”) and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processingof personal data of individuals. GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

Read more about GDPR


Product Configuration - considerations for GDPR Readiness

Offering Configuration

The following sections provide considerations for configuring LoopBack to helpyour organization with GDPR readiness.

Configuration to support data handling requirements

The GDPR legislation requires that personal data is strictly controlled and thatthe integrity of the data is maintained. This requires the data to be securedagainst loss through system failure and also through unauthorized access or viatheft of computer equipment or storage media.

LoopBack Overview

Please note that LoopBack 4 is in developer preview and not ready forproduction. For production, useLoopBack 3.

LoopBack is an open source Node.js framework that allows you to create REST APIsand connect to the backend resources, such as database and Web services.

  • Users can download LoopBack anonymously and use LoopBack without creating anyaccounts.
  • LoopBack itself is not runnable. The close analogy is Spring Framework or IBMNode.js SDK.
  • Customers create applications using LoopBack tooling and runtime.
  • Since LoopBack allows users to connect to backend resources that might requirecredentials to access, users can create a LoopBack application in such waythat the credentials are stored in the configuration files as part of theirLoopBack application.It is important to note that it is developer’s responsibility to design andconfigure their LoopBack application using theGDPR Privacy By Design asguidelines.
Configuration to support Data Privacy

It is developer’s responsibility to design and configure their LoopBackapplication using theGDPR Privacy By Design asguidelines to support Data Privacy.

Configuration to support Data Security

It is developer’s responsibility to design and configure their LoopBackapplication using theGDPR Privacy By Design asguidelines to support Data Security.


Data Life Cycle

LoopBack is a development framework that does not collect any data nor does itsend any of it back to IBM. The LoopBack framework facilitates the connection tobackend resources, such as databases and Web services, where identity data isstored. However, the framework itself does not store actual data.

Important: LoopBack 4 is in developer preview. How its applicationconfiguration data reside and is being used may be subjected to change. Moreinformation will be provided once the code has stablized.

Personal data used for online contact with IBM

LoopBack clients can submit online comments/feedback/requests to contact IBMabout LoopBack subjects.

Regarding getting support from IBM as open source community users or paidcustomer support, LoopBack users might be asked to provide a sample applicationand output/debug logs for problem reproduction and problem determination. It isimportant to note that personal data is not needed for this purpose. If there ispersonal data included in the application, they should be removed ordeidentified before sending it to IBM Support.

For supporting the community users through GitHub, please keep in mind that itis a public platform and anyone who has access to World Wide Web is able to viewit. If there is personal data included in the application, it should be removedor de-identified before sending it to IBM Support.

Typically, only the client name and email address are used, to enable personalreplies for the subject of the contact, and the use of personal data conforms tothe IBM Online Privacy Statement.


Data Collection

LoopBack is a development framework that does not collect any data nor does itsend any of it back to IBM. It is the LoopBack developers/users’responsibilities to ensure the data collection is GDPR compliant and protecttheir own data.

For details, refer to theGDPR Privacy By Designguidelines from the GDPR official Web site.


Data Storage

LoopBack is a development framework that does not collect any data nor does itsend any of it back to IBM. It is the LoopBack developers/users’responsibilities to protect their own data.

See the references below for securing the data:

https://www.ibm.com/security/services/data-security

https://www.ibm.com/security/campaign/gdpr


Data Access

LoopBack is a development framework that does not collect any data nor does itsend any of it back to IBM. It is the LoopBack developers/users’responsibilities to determine the role and access rights to their own data.

For details, refer to theGDPR Privacy By Designguidelines from the GDPR official Web site.


Data Processing

LoopBack is a development framework that does not collect any data nor does itsend any of it back to IBM. It is the LoopBack developers/users’responsibilities to protect their own data.

See the references below for securing the data:

https://www.ibm.com/security/services/data-security

https://www.ibm.com/security/campaign/gdpr


Data Deletion

The LoopBack framework does not store any data but act as a data processor. Itis the LoopBack developers/users’ responsibilities to allow end-users of theLoopBack application to request deletion of personal data, so that theirLoopBack application is GDPR compliant.

For details, refer to theGDPR Privacy By Designguidelines from the GDPR official Web site.


Data Monitoring

The LoopBack framework does not monitor data. It is the LoopBackdevelopers/users’ responsibilities to ensure the data monitoring is GDPRcompliant. For details, refer to theGDPR Privacy By Designguidelines from the GDPR official Web site.


Responding to Data Subject Rights

LoopBack is a development framework that does not collect any data. It is theLoopBack developers/users’ responsibilities to meet data subject rights.

For details, refer to theGDPR Privacy By Designguidelines from the GDPR official Web site.

Tags: