By Boomi
So far, we’ve published three posts on the scope, challenges and data obligations of the European Union’s General Data Protection Regulation (GDPR). Our most recent post focused on how Boomi can help organizations address three of the six high-risk obligations imposed by the GDPR: record keeping, accountability and data retention.
But good “data hygiene” is critical to routine business activities beyond the GDPR. So, in this post, we’ll take a closer look at the tools the Boomi integration platform offers organizations to help better manage their data — not just for GDPR purposes but for business operations as a whole.
How Boomi Handles Customer Data
Within the language of the GDPR, “data controllers” are generally the companies that direct how and why personal data is processed. “The processors” are generally those companies that process personal data on behalf of the controller. When Boomi provides services that involve customer data, it is generally acting as a processor and our customer is the controller.
Boomi appreciates that our customers have various internal teams and external partners they share and exchange data with. However, not everyone should have access to sensitive data that flows through such business processes.
With this essential data management and security need in mind, we designed the Boomi integration platform with features that allow companies to control how data is handled. In general, the View Data privilege in the Boomi platform is a feature that is always turned on by default. This allows customers to view data and documents in a process reporting page. When View Data is on, this information then flows through the Boomi platform (based in the United States).
However, customers can configure custom roles such that personal data contained in customers’ production data that passes through an on-premise (“local”) Atom, Molecule or Atom Cloud never flows through the Boomi data center in the U.S. The data and logs are stored on the customer’s hosted infrastructure either on-premise or in the cloud where the Atom or Molecule is deployed.
Further, if Purge Data Immediately is selected within Atom Management, data will be purged upon completion of an integration process — ensuring that no data remains that could be viewed through this function. In terms of integration, Boomi facilitates data transmission between either a SaaS or on-premise application through a connector configured to security requirements of the customer.
Configuration Data and Business Data
Boomi distinguishes between configuration data and business data. Configuration data is the information needed to execute the integration process flows that a customer builds inside the platform. Business data is information related to a customer’s business (e.g. invoices, orders, contacts, etc.) and is processed by the Boomi Atom, which is our run-time engine. This run-time engine can be deployed anywhere by the customer — on the customer’s hosted infrastructure either on-premise or in the cloud.
Our distributed architecture allows customers to bypass the Boomi platform to maintain maximum control when processing business data. Business data is not processed on the platform but may be transferred through the platform as requested by the customer via the user interface (View Data), using standard encryption protocols.
Securing Customer Data in Transit
To help ensure the security of data in transit, the Boomi AtomSphere integration platform uses stringent data communication security standards. While an Atom, Molecule or private Atom Cloud is running and executing processes, it stores detailed logs and processed documents locally. You can view them on the Process Reporting page in the Boomi platform.
Customers can control how long logs, processed documents and temporary data are stored in the Boomi Atom, Molecule or private Atom Cloud. If an organization processes large volumes of data and wants to conserve disk space, they can reduce the number of days this information is kept (30 days is the default).
Purged logs, processed documents and temporary data are permanently deleted and cannot be recovered. If your organization wants to keep a longer history of documents for audit purposes, use connector operation archiving or write data received and/or sent to another location as part of your process.
GDPR Is Here
GDPR is an opportunity for IT teams to take a comprehensive review of their existing data privacy and data security practices.
While Boomi can help your organization with some key GDPR obligations, ultimately, each organization will have to decide how they will address GDPR. Only a handful of articles in the GDPR law relate to IT security, but data protection goes far beyond GDPR.
As organizations embark on the road to becoming a Connected Business, Boomi is here to support our customers to configure and manage their data to best support their business needs, whether for GDPR or any initiative far beyond the scope of this legislation.