# Data management and GDPR

Manage and oversee the lifecycle of your organization's employee data. Define the retention period of inventory and operational data, and comply with the General Data Protection Regulation (GDPR) for retrieval, anonymization, and deletion of data.

## Accessing the Data Management page <a href="#datamanagementandgdpr-accessingthedatamanagementpage" id="datamanagementandgdpr-accessingthedatamanagementpage"></a>

* Select **Administration** from the main menu.
* Click on **Data Management (GDPR)** in the Content Management section of the navigation panel.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-3cc8ec585f78a74cff31e91ec1944a5ff1ca6632%2Fdatamgmt-1707234016.png?alt=media" alt="Accessing the Data Management page" width="760"><figcaption></figcaption></figure>

The Data Management (GDPR) link only appears for users with **Manage data (GDPR)** administrative permissions and requires a **none (full access)** data privacy setting. Refer to the [Roles](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/user-guide/administration/account-management/roles) page for more information.

## General Data Protection Regulation (GDPR) <a href="#datamanagementandgdpr-generaldataprotectionregulation-gdpr" id="datamanagementandgdpr-generaldataprotectionregulation-gdpr"></a>

The GDPR introduces a single legal data protection framework for both organizations and individuals within the European Union (EU). The GDPR was approved in April 2016 and became directly applicable on May 25, 2018. As of that date, all companies and entities, including those outside the EU, that control or process personal data related to EU residents are obliged by the regulation to satisfy certain user rights.

When using the Nexthink platform, your organization stores data that describes the digital behavior of end-users and allows for their personal identification. This kind of personal data usually lies in the context of employment. The end-users are generally employees of the organization that controls and processes their data, although this may not always be the case. Even if the GDPR allows for some discretion to ensure the protection of processing personal data in the context of employment (article 88), the protection of this data is still under the GDPR, as long as your employees are EU residents. Consult your legal department in case of any doubt.

## Managing employee data <a href="#datamanagementandgdpr-managingemployeedata" id="datamanagementandgdpr-managingemployeedata"></a>

Manage employee data and comply with the GDPR.

### Data retention <a href="#datamanagementandgdpr-dataretention" id="datamanagementandgdpr-dataretention"></a>

Configure the data retention timeframe for your organization’s Nexthink instance.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-9396fcff63a01094f46ef0172ea715d56144b94f%2Fgdpr-1712923138.png?alt=media" alt="GDPR - 1712923138.png" width="760"><figcaption></figcaption></figure>

* **Inventory data retention:** Select the retention timeframe for inventory data. This setting applies to all inventory objects except binaries.
* **Operational data retention:** Select the retention timeframe for operational data. This setting applies to events collected from employee devices, alerts triggered by alert monitors, remote action executions and binaries. Operational data retention must be shorter or equal to inventory data retention.

Refer to [Data we collect and store](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/getting-started/understanding-key-data-platform-concepts/data-we-collect-and-store) and [Data resolution and retention](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/getting-started/understanding-key-data-platform-concepts/data-resolution-and-retention) documentation pages for more information about data categories.

{% hint style="info" %}
After you save the configuration, the system applies the changes to all new events and all active binaries.
{% endhint %}

### Data retrieval <a href="#datamanagementandgdpr-dataretrieval" id="datamanagementandgdpr-dataretrieval"></a>

Article 15 of the GDPR grants data subjects the right to access their personal data.

Retrieve data for any employee monitored by the Nexthink platform for the features and modules listed in the **Data** drop-down menu. Retrieve all other employee data directly using the Investigations module.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-64b0579be4f79db6d3a0448fc9863f0e09997776%2Fgdpr-1712923277.png?alt=media" alt="GDPR - 1712923277.png" width="760"><figcaption></figcaption></figure>

* **Username:** Enter the username of the employee whose data you want to download.
* **Data:** Select the feature or module to download the data from:
  * Executions
  * Sessions
  * Applications
  * Collaboration
  * Campaigns

Click the **Retrieve user data** button. The system opens the Investigations page with the results of the NQL query, which you can export to a CSV format.

### Data anonymization <a href="#datamanagementandgdpr-dataanonymization" id="datamanagementandgdpr-dataanonymization"></a>

Article 17 of the GDPR grants the data subject the right to be forgotten. Nexthink provides a way to anonymize data so that it no longer refers to either an employee or a device.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-ae75964c8f6fef7ee5b25a4b7dba0fec5b7ede7d%2Fgdpr-1712923339.png?alt=media" alt="GDPR - 1712923339.png" width="760"><figcaption></figcaption></figure>

Select from the following options:

* **User**: The system sets all the associated fields to *null*.
* **Device**: The system sets all the associated fields to *null*.
* Enter the **Username** or **Device name** depending on the option you chose in the previous step.

Click the **Anonymize user data** or **Anonymize device data** button to start the process.

{% hint style="info" %}
Once you start the anonymization process, it is irreversible as the system anonymizes the values at the storage level.
{% endhint %}

### Data deletion <a href="#datamanagementandgdpr-datadeletion" id="datamanagementandgdpr-datadeletion"></a>

Article 17 of the GDPR grants the data subject the right to be forgotten. Nexthink provides a way to erase data, such as information related to users or devices.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-7e49247ecfa527dc374c0a33989d2effc6189a14%2Fgdpr-1712835976.png?alt=media" alt="GDPR - 1712835976.png" width="760"><figcaption></figcaption></figure>

Select from the following options:

* **Upload CSV file**: Upload a CSV file with either user UIDs and SIDs, or device UIDs along with the corresponding device names you wish to delete. The CSV should only include either user UIDs or device UIDs, but not both.
* **List users**: Navigate to the **Investigations** module, which includes a preconfigured query to find a list of all users. This helps you generate the CSV file.
* **List devices**: Navigate to the **Investigations** module, which includes a preconfigured query to find a list of all devices. This helps you generate the CSV file.

Click the **Delete** button to start the process.

{% hint style="info" %}
Once you start the deletion process, it is irreversible. It can take up to 30 minutes to delete all the data.
{% endhint %}

***

RELATED TOPICS

* [Data resolution and retention](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/getting-started/understanding-key-data-platform-concepts/data-resolution-and-retention)
* [Roles](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/user-guide/administration/account-management/roles)