Overview
The General Data Protection Regulation (GDPR) is a regulation enacted to strengthen data privacy for all individuals within the European Union (EU). All organizations that process personal data of individuals in the EU are required to comply with GDPR.
Code42 users have substantial amounts of business-critical data on their devices, often including personal data. Code42 will comply with its requirements under GDPR. In addition, Code42's product features can help your organization comply with its own compliance obligations under GDPR.
This article describes:
The GDPR sections in this article can help you develop a compliance plan, but are not an exhaustive list of things to consider.
Compliance is your responsibility
Code42 provides features you can use to meet your obligations under GDPR, but Code42 cannot dictate if and how you comply. It is your responsibility to develop the plan, methods, and procedures you will follow to be in compliance with GDPR.
Considerations
- GDPR is effective as of 25 May 2018.
- GDPR applies to both EU and non-EU companies if they process personal data about EU individuals.
- Not all organizations include endpoints in their GDPR compliance strategy.
Data Processing Addendum (DPA)
Code42's
Master Services Agreement incorporates a
Data Processing Addendum (DPA) that provides contractual commitments Code42 customers need to meet their GDPR requirements.
- For Code42 for Enterprise customers who have renewed their subscriptions after July 15, 2017, and for all CrashPlan for Small Business customers, the DPA applies automatically under your Master Services Agreement.
- For other Code42 for Enterprise customers, Code42 has created a retroactive version of the DPA that can be entered into upon request.
Code42's compliance with GDPR
GDPR sets forth baseline data-protection requirements for organizations that process and move the personal data of individuals in the EU. Organizations subject to GDPR must ensure that any service providers that process personal information of EU individuals meet specific requirements.
Code42 will comply with its requirements under GDPR. As part of our compliance, Code42:
- Implements technical and organizational measures to ensure personal data is protected.
- Provides timely data-breach notifications to customers.
- Transfers personal data outside the EU only if there is a lawful transfer mechanism in place with the organization receiving the data. This ensures adequate protection of the personal data being transferred.
For complete information about how Code42 handles your personal data, see the Code42 Privacy Statement.
Incydr Professional, Enterprise, and Horizon features to help you comply with GDPR
Data protection and recovery features
The following Code42 features enable data protection and recovery.
Relevant GDPR information
- Article 5: "Principles relating to processing of personal data"
- Article 25: "Data protection by design and by default"
- Article 32: "Security of processing"
Keep data secure
All data transferred to Code42 is encrypted at rest and in transit and is not processed by Code42 for any purpose other than as agreed upon for the provision of our products and services.
Recover data
Because Incydr stores exfiltrated files in the cloud, an administrator can use Forensic Search to download files and examine them with forensic tools as part of compliance efforts.
Data viewing features
The following Code42 features provide your compliance officer with information about the data retained and allow your organization to comply with reporting requirements in the event of a data breach.
Relevant GDPR information
- Article 35: "Data protection impact assessment"
- Article 33: "Notification of a personal data breach to the supervisory authority"
- Article 34: "Communication of a personal data breach to the data subject"
Monitor data flow
Monitor for high-risk behavior by configuring Incydr alerts and messages for high-risk data transfers to cloud storage, removable media, ZIP files, and more.
Report on data breaches
Use Incydr's Cases feature to compile and retain evidence in the event of a data breach.
Incydr Basic and Advanced, CrashPlan Cloud, and other plans features to help you comply with GDPR
Data protection and recovery features
The following Code42 features enable data protection and recovery.
Relevant GDPR information
- Article 5: "Principles relating to processing of personal data"
- Article 25: "Data protection by design and by default"
- Article 32: "Security of processing"
Protect data from loss
Every file in user directories on all devices are backed up every 15 minutes (Code42 for Enterprise) or 30 minutes (CrashPlan for Small Business) by default per file retention settings, allowing for robust data recovery.
Keep data secure
All data transferred to Code42 is encrypted at rest and in transit and is not processed by Code42 for any purpose other than as agreed upon for the provision of our products and services.
Recover data
Code42 allows users to recover their files in the event of data loss arising from events such as a stolen device or ransomware.
Data viewing features
The following Code42 features provide your compliance officer with information about the data retained and allow your organization to comply with reporting requirements in the event of a data breach.
Relevant GDPR information
- Article 35: "Data protection impact assessment"
- Article 33: "Notification of a personal data breach to the supervisory authority"
- Article 34: "Communication of a personal data breach to the data subject"
See data on devices
Because files on user devices are retained in archives, an administrator can download files from the archives and examine them with forensic tools as part of compliance efforts.
Monitor data flow
Incydr Basic and Advanced only
Monitor for high-risk behavior by configuring Incydr alerts and messages for high-risk data transfers to cloud storage, removable media, ZIP files, and more.
Report on data breaches
Use Incydr's Cases feature or Code42 for Enterprise reporting features as part of your analysis and required reporting in the event of data breaches.
Features to assist with "right to erasure" requests
A provision of GDPR is the "right to erasure." If you receive requests from individuals who want their personal data "to be forgotten," you should be able to identify those individuals' personal data in your system, verify whether or not proper consent was obtained to collect the data, and be able to remove the data from any backups.
Keep in mind that:
- EU individuals may have a "right to be forgotten" by any company that has their personal data, including companies outside of the EU.
- Companies that have EU personal data should be prepared to respond to a request of disclosure of stored personal data, and possible deletion of that data, within 30 days.
Relevant GDPR information
Article 17: "Right to erasure (‘right to be forgotten’)"
