The IBM Notes Client is NOT GDPR compliant
A essential part of GDPR is the personal data. Protecting it, managing the rights to the data.
To know if a data breach has taken place, you need to have an audit trail and you need to know where the data is.
If you are using pure web based Domino solutions only (no DIIOP etc) you can control the data, what databases are replicating between servers only etc.
You can have a log of all HTTP actions.. it may not be a handy log, but a log never the less.
The moment you included the IBM Notes Client things change...
The user can make a copy or a replica of a 50GB database and you can not do much about it ,
The cat is out the box, and you can no longer control what happens to the data.
We all know the annoying (and wonderful) feature that a user can mark thousands of documents and just copy them.
Then the user can paste them many different places, A local database, same original database (very annoying),..
You no longer have the essential control of the data.
But wait you say! there is a setting in the ACL to allow "Replica or copy documents" !
That sounds sweet ...and I am sure IBM meant well, but this one also prevents users from doing a copying of text from a document, which will prevent any user from doing their daily job.
So it is a "all or nothing" solution. and I can guarantee you that this one is ticked off for ALL users on any database, just to get any work done,
There is not any real logging going on. You can make all sorts of hacks to log things, but it is to easy to go "under the radar" and do things without it being logged.
(Yes there are 3rd party companies who will try and fix his, but that is not good enough, a log/audit should be available for any IBM Notes/Domino database from IBM)
No matter how you twist it.. applications using IBM Notes today are NOT GDPR complaint
The simple fixes - my suggestions
It is all fine and dandy with a V10 coming out later this year with new stuff, but this needs fixing NOW, since GDPR deadline is 25th May 2018.
This is my suggestion to fix this:
In the ACL on the database add these options instead
I would probably also consider splitting replica and copy permission into two separate entries
Maybe also creating an entry for copy text etc. is needed, I don't know if this will ever be used.
Logging, selecting to a text file or a notes database, with same name as database and just having a separate file extension
This should all be very easy to do and could be in a fix soon...if IBM/HCL are willing to.
IBM/HCL ....please make the IBM Notes Client GDPR compliant !
Posted on 04/20/2018 12:10:30 PM CEDT