Maximo and the General Data Protection Regulation (GDPR)

GDPR is all about the privacy of personal data and GDPR comes into force across the European Union and EEA countries on the 25th May 2018. The potential fines for failure to follow the regulations could amount to 4% of an organizations worldwide annual turnover.

GDPR gives an individual the right to know what personal data is being held, to make corrections if it is wrong and they also have the right to have their personal data erased and to be forgotten. There are other rights too, but basically when looking at the Maximo system we:

As implementers of a Maximo system (we are called the Data Processors) on behalf of our clients (Data Controllers) we also have a few duties to perform, we:

GDPR will affect new Maximo systems and existing ones. A person’s name is considered Personal Data. With the right to be forgotten GDPR might be interpreted as to require all names to be erased or pseudonymised after they are no longer needed, perhaps at the point a person/labor leaves the employment of the Maximo system owner. However, there may be other regulations requiring information on who performed work on an asset, when this occurred and whether they had the right certifications to perform the work, therefore it is important that the Maximo client as data controller provides the guidance as to how long personal data should be retained within the Maximo system.

Privacy by Design, Privacy by Default

Privacy by Design requires that the data owner and implementer are to consider privacy of personal data at the early stages of design and to reassess privacy throughout the life of the development process. If an existing system is being enhanced then Privacy by Design must still be considered.

Privacy by Default means that individuals should be given a choice as to how much personal data they wish to share with others with the default setting being total privacy. Individuals should opt-in to sharing personal data and they can opt-out again if they choose. An element of privacy by design would give the Data Subject the ability to select (or not) these privacy options at any time.

What would be considered Personal Data in Maximo?

The tables/objects/attributes that could store Personal Data in an out of the box Maximo system are mostly associated with the People, Labor and Users applications, but there are other places as well:


The base table behind the People application.


The history table for Person status changes, used by the People application in the Administration module:


The base table behind the Labor application.



The base table behind the Users application in the Security module.

When Maximo users are no longer needed change the status to INACTIVE. Then occasionally select INACTIVE users and use the action Delete User (it only takes a few seconds), however, the action isn’t available from the List Tab. Note. If you have extended Maximo and used the USERID then be careful that you don’t leave behind redundant data.


The history table for user status changes, used by the Users application in the Security module:


The table that stores the GEO Location of a moving object. For example, Labor, Crew or Asset.


This table records when a user log’s in/out of Maximo, it also records all E-Signature attempts.


This table records the current Maximo user sessions.


This table records the IP Addresses that are blocked from accessing Maximo. Typically used for IP Addresses where persistent attacks have been made or servers/users which are no longer permitted to connect to Maximo. Accessed through the action Manage Blocked IP Addresses in Users application.









If these fields contain personal data you will need to consider how long this data should be retained for.


If these fields contain personal data you will need to consider how long this data should be retained for.







Note on reports generally. Reports can be written against any part of the Maximo database and it could contain personal data. If a report does contain personal data then it might be more appropriate to not allow report distribution, or to send an email to the recipient with a link to the report output, or to allow users to find scheduled reports from the Report Viewer application.

Concluding Thoughts

The main areas where Personal Data is held in Maximo is found in the Person, Labor and User applications. But as can be seen there are many more places in Maximo where there is the potential to store Personal Data. As the PERSONID, LABORCODE, USERID and LOGINID get copied to other tables often as part of a unique key then you should look to turn as many of these fields into numeric values as you can to reduce the impact of the spread of Personal Data through Maximo.

If you are on Maximo 7.6 you can limit the spread of personal data by utilising the hover-over dialogs to display the name of the person and their contact details. When the Person is no longer needed in the Maximo system then this data can be removed without creating referential integrity issues.

GDPR compliance and the security of Personal Data will become significantly more controllable by taking these two steps. But there is more to GDPR and compliance should be designed into the Maximo system.

The tables and attributes identified above may seem comprehensive but there will be other Personal Data. Every Maximo clients’ implementation is different and not many exist without some degree of configuration. Each Maximo client as Data Controller will need to make their own assessments or ask someone to do it for them. This should take into account all of the Maximo products installed, the configurations made including Audit tables, interfaces both inbound and outbound, reports, attached documents and emails that may contain Personal Data. For example, are reports saved as PDF spreading Personal Data, are photos of people held as attachments, are outbound interfaces copying personal data to other systems, do we receive personal data from an HR system?

While the IBM team have just launched a utility to help blank or scramble Personal Data this will not make the Maximo system GDPR compliant, it will be useful, but there is more to be done including training Maximo users and administrators to be far more aware of Personal Data and how it is processed.

3 responses to “Maximo and the General Data Protection Regulation (GDPR)”

  1. Prashant D Bavane avatar
    Prashant D Bavane

    This is really nice giving areas to be looked for handling PII data.
    IBM has already released utility which allows to handle/scramble PII dat per GDPR.

    1. maximosecrets avatar

      Yes, the utility looks to be useful but it is not the panacea that will fix all personal data. There is also more to GDPR than just blanking data or scrambling it. For example, one aspect is to let your Data Subjects understand how you process their Personal Data and to do that you need to identify it and then tighten all your processes around it before documenting it.

      I am working on another article at the moment which looks at Privacy by Design and Privacy by Default. Check out the other article on GDPR which is more focused on the regulation and definitions. It has a couple of really good links which was one of the main sources to my learning.

Leave a Reply

%d bloggers like this: