DPIA on IBM Cloud Pak for Business Automation as a Service: IBM took measures to mitigate risks

February 27, 2024

The Dutch Strategic Supply Management IBM (SLM Rijk IBM en Red Hat) as executed by the Tax and Customs Administration (Belastingdienst) commissioned an umbrella DPIA to be executed by Privacy Company on the IBM Cloud Pak for Business Automation as a Service (CP4BAaaS). CP4BAaaS runs on the IBM Cloud infrastructure: servers in data centres controlled by IBM. With IBM CP4BAaaS, IBM aims to provide a single platform to manage enterprise content, process workflows, automate tasks, and to use intelligent capture – the automatic discovery and verification of unformatted data. The Digital Business Automation on Cloud platform consists of several parts, including an authentication services layer and a backend. For each customer, IBM will setup a tenant, a dedicated environment in the IBM cloud. IBM Cloud is the infrastructure provider for CP4BAaaS. Within the tenant, IBM provides the customer with a development, a testing, and a production environment.

The DPIA was based on extensive legal and technical research and included reviews of documentation, contracts, execution of test scenarios, a data subject access request, and gathering additional technical information in collaboration with IBM. The DPIA resulted in a list of 11 high and 5 low risks for the rights and freedoms of data subjects. Those risks related to the role of IBM as a data processor, but also (joint) controller, the use of several third parties and the issuing of tracking cookies, and essential processing activities outside the EER. Based on the identified risks and proposed measures, IBM has taken steps to mitigate the risks via a remediation plan.

The remediation plan and the taken measures by IBM set sufficient safeguards to mitigate the identified risks. With these measures all high risks are reduced to low residual risks or no longer apply. IBM has now properly categorized the cookie categories and applies the correct default settings. An important change is related to international data transfers. At the time of the research, the EU-US Data Privacy Framework was not yet in place. But for purposes of future proof processing and adequate safeguards, IBM now provides account management (Active Directory) from the EU instead of the US. Moreover, technical support can optionally be provided from the EU only (limited to business hours) instead of the follow the sun approach with worldwide data transfers. The measures do not only apply for the Dutch government, but are applicable to all EU organisations. The results of the DPIA and the follow up by IBM are therewith beneficial for all EU organisations using CP4BAaaS.

The DPIA, including the findings and the remediation plan of IBM can be found here.