If your application stores data that might be used to identify a person and you are subject to GDPR or similar regulations, use client-based access control (CBAC) to track and process requests to view, change, or remove the data.
Client-based access control helps you satisfy the data privacy requirements of client protection regulations, such as the European Union (EU) General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). In Pega Platform, personal data might be stored in the database or related data sets, and is identified by class name and property name. Personal data is associated with an actual person, not with an abstract entity such as a business.
For more information, see:
- General Data Protection Regulation.
- California Consumer Privacy Act (CCPA).
Data privacy APIs
REST APIs process requests to get, rectify (update), erase (delete), or limit the usage of personal data. The access request processing can be synchronous or asynchronous, but the processing of requests to rectify and erase is asynchronous. Cases handle Access, erase, and rectify requests. When data requests are processed, the decrypted client data is returned to the client using HTTPS in Base64 encoded format. For requests to rectify or erase, the data is modified or deleted as requested.
The REST APIs that define personal data requests are in the Data Privacy category of the api service package, which is known as the Pega API.
- Requests to update and delete personal data are one-time requests that do not prevent the data from being changed or added again in the future.
- Client data that is temporarily stored on a CBAC case does not persist after the case has been resolved.