Data management and GDPR
Manage and oversee the lifecycle of your organization's employee data. Define the retention period of inventory and operational data, and comply with the General Data Protection Regulation (GDPR) for retrieval, anonymization, and deletion of data.
Accessing the Data Management page
Select Administration from the main menu.
Click on Data Management (GDPR) in the Content Management section of the navigation panel.
The Data Management (GDPR) link only appears for users with Manage data (GDPR) administrative permissions and requires a none (full access) data privacy setting. Refer to the Profiles page for more information.
General Data Protection Regulation (GDPR)
The GDPR introduces a single legal data protection framework for both organizations and individuals within the European Union (EU). The GDPR was approved in April 2016 and became directly applicable on May 25, 2018. As of that date, all companies and entities, including those outside the EU, that control or process personal data related to EU residents are obliged by the regulation to satisfy certain user rights.
When using the Nexthink platform, your organization stores data that describes the digital behavior of end-users and allows for their personal identification. This kind of personal data usually lies in the context of employment. The end-users are generally employees of the organization that controls and processes their data, although this may not always be the case. Even if the GDPR allows for some discretion to ensure the protection of processing personal data in the context of employment (article 88), the protection of this data is still under the GDPR, as long as your employees are EU residents. Consult your legal department in case of any doubt.
Managing employee data
Manage employee data and comply with the GDPR.
Data retention
Configure the data retention timeframe for your organization’s Nexthink instance.
Inventory data retention: Select the retention timeframe for inventory data. This setting applies to devices, users and other inventory objects. It does not apply to binaries.
Operational data retention: Select the retention timeframe for operational data. This setting applies to events collected from employee devices, alerts triggered by alert monitors, remote action executions and binaries. Operational data retention must be shorter or equal to inventory data retention.
After you save the configuration, the system applies the changes to all new events and all active binaries.
Data retrieval
Article 15 of the GDPR grants data subjects the right to access their personal data.
Retrieve data for any employee monitored by the Nexthink platform for the features and modules listed in the Data drop-down menu. Retrieve all other employee data directly using the Investigations module.
Username: Enter the username of the employee whose data you want to download.
Data: Select the feature or module to download the data from:
Executions
Sessions
Applications
Collaboration
Campaigns
Click the Retrieve user data button. The system opens the Investigations page with the results of the NQL query, which you can export to a CSV format.
Data anonymization
Article 17 of the GDPR grants the data subject the right to be forgotten. Nexthink provides a way to anonymize data so that it no longer refers to either an employee or a device.
Select from the following options:
User: The system sets all the associated fields to null.
Device: The system sets all the associated fields to null.
Enter the Username or Device name depending on the option you chose in the previous step.
Click the Anonymize user data or Anonymize device data button to start the process.
Once you start the anonymization process, it is irreversible as the system anonymizes the values at the storage level.
Data deletion
Article 17 of the GDPR grants the data subject the right to be forgotten. Nexthink provides a way to erase data, such as information related to users or devices.
Select from the following options:
Upload CSV file: Upload a CSV file with either user UIDs and SIDs, or device UIDs along with the corresponding device names you wish to delete. The CSV should only include either user UIDs or device UIDs, but not both.
List users: Navigate to the Investigations module, which includes a preconfigured query to find a list of all users. This helps you generate the CSV file.
List devices: Navigate to the Investigations module, which includes a preconfigured query to find a list of all devices. This helps you generate the CSV file.
Click the Delete button to start the process.
Once you start the deletion process, it is irreversible. It can take up to 30 minutes to delete all the data.
RELATED TOPICS