Code42 and GDPR compliance
Overview
The General Data Protection Regulation (GDPR) is a regulation enacted to strengthen data privacy for all individuals within the European Union (EU). All organizations that process personal data of individuals in the EU are required to comply with GDPR.
Code42 users have substantial amounts of business-critical data on their devices, often including personal data. Code42 will comply with its requirements under GDPR. In addition, Code42's product features can help your organization comply with its own compliance obligations under GDPR.
This article describes:
Considerations
- GDPR is effective as of 25 May 2018.
- The rights under GDPR apply and are limited to any individual that is in the EU, regardless of that individual's residency or citizenship. This means that GDPR's provisions protect non-EU citizens who are located within the EU, but they do not extend to an EU citizen living outside of the EU.
- GDPR applies to both EU and non-EU companies if they process personal data about EU individuals.
- Not all organizations include endpoints in their GDPR compliance strategy.
Code42's Master Services Agreement incorporates a Data Processing Addendum (DPA) that provides contractual commitments Code42 customers need to meet their GDPR requirements.
- For Code42 for Enterprise customers who have renewed their subscriptions after July 15, 2017, and for all CrashPlan for Small Business customers, the DPA applies automatically under your Master Services Agreement.
- For other Code42 for Enterprise customers, Code42 has created a retroactive version of the DPA that can be entered into upon request.
Code42's compliance with GDPR
GDPR sets forth baseline data-protection requirements for organizations that process and move the personal data of individuals in the EU. Organizations subject to GDPR must ensure that any service providers, such as Code42, that process personal information of EU individuals, meet specific requirements.
Code42 will comply with its requirements under GDPR. As part of our compliance, Code42:
- Implements technical and organizational measures to ensure personal data is protected.
- Provides timely data-breach notifications to customers.
- Transfers personal data outside the EU only if there is a lawful transfer mechanism in place with the organization receiving the data. This ensures adequate protection of the personal data being transferred.
For complete information about how Code42 handles your personal data, see the Code42 Privacy Statement.
Features to help you comply with GDPR
The following features can help you in your GDPR-compliance strategy.
The GDPR sections in this article can help you develop a compliance plan, but are not an exhaustive list of things to consider.
Code42 provides features you can use to meet your obligations under GDPR, but Code42 cannot dictate if and how you comply. It is your responsibility to develop the plan, methods, and procedures you will follow to be in compliance with GDPR.
Data protection and recovery features
The following Code42 features enable data protection and recovery.
• Article 5: "Principles relating to processing of personal data"
• Article 25: "Data protection by design and by default"
• Article 32: "Security of processing"
Protect data from loss
Every file in user directories on all devices are backed up every 15 minutes (Code42 for Enterprise) or 30 minutes (CrashPlan for Small Business) by default per file retention settings, allowing for robust data recovery.
Keep data secure
All data transferred to Code42 is encrypted at rest and in transit and is not processed by Code42 for any purpose other than as agreed upon for the provision of our products and services.
Recover data
Code42 allows users to recover their files in the event of data loss arising from events such as a stolen device or ransomware.
Data viewing features
The following Code42 features provide your compliance officer with information about the data retained and allow your organization to comply with reporting requirements in the event of a data breach.
• Article 35: "Data protection impact assessment"
• Article 33: "Notification of a personal data breach to the supervisory authority"
• Article 34: "Communication of a personal data breach to the data subject"
See data on devices
Because files on user devices are retained in archives, an administrator can download files from the archives and examine them with forensic tools as part of compliance efforts.
Monitor data flow
Monitor for high-risk behavior by configuring Security Center alerts and messages for high-risk data transfers to removable media and cloud storage.
Report on data breaches
Use Code42's reporting features as part of your analysis and required reporting in the event of data breaches.
Features to assist with "right to be forgotten" requests
A provision of GDPR is the "right to be forgotten." If you receive requests from individuals who want their personal data "to be forgotten," you should be able to identify those individuals' personal data in your system, verify whether or not proper consent was obtained to collect the data, and be able to remove the data from any backups.
Keep in mind that:
- EU individuals may have a "right to be forgotten" by any company that has their personal data, including companies outside of the EU.
- Companies that have EU personal data should be prepared to respond to a request of disclosure of stored personal data, and possible deletion of that data, within 30 days.
Article 17: "Right to erasure (‘right to be forgotten’)"
Exclude files from backup
An administrator can exclude files from backup that contain personal data. Excluded files are removed from backup archives the next time archive maintenance is run.
Allow users to remove their files from backups
Under GDPR, users own their personal information and can choose whether that information should be removed from Code42 backups. Code42 app users can delete files containing personal data from their backup archives if a Code42 administrator allows it and does not lock backup settings.
Additional resources
- If you are new to Code42 for Enterprise or CrashPlan for Small Business, contact our sales team to get started.
- If you already have a Code42 for Enterprise or CrashPlan for Small Business deployment, contact sales to engage your Code42 Professional Services representative if you have questions on how to use Code42 for Enterprise or CrashPlan for Small Business to help meet your GDPR compliance needs.
- Additional information on the General Data Protection Regulation (GDPR) can be found using the following resources:
- Home page of the EU GDPR
- PDF of the GDPR
- Intersoft Consulting: Full text of the GDPR (organized for easy searching)
- Code42 white paper: The Path to Rapid GDPR Compliance
- Code42 webinar: Be Prepared: Accounting for the Endpoint in Your GDPR Strategy
- Code42 toolkit: Be Ready: Enabling GDPR Compliance with Code42