GDPR - Retrieving or anonymizing personal data

Overview

The General Data Protection Regulation (GDPR) introduces a single legal data protection framework for both businesses and individuals within the European Union (EU). The GDPR was approved in April 2016 and became directly applicable on 25 May 2018. As of that date, all companies (including those outside the EU) that control or process personal data relative to EU residents are obliged by the regulation to satisfy certain user rights.

When using Nexthink, companies store data that describes the digital behavior of end-users and allows their personal identification. This kind of personal data usually lies in the context of employment; that is, end users are generally employees of the company that controls and processes their data, although this may not always be the case. Even if the GDPR allows for specific rules to the processing of personal data in the context of employment (see article 88), the protection of this data is still under the GDPR, as long as your employees are EU residents. Consult your legal department in case of doubt.

GDPR in the Web Console

Prerequisites

Both the retrieval of user data from the Portal and the anonymization of user data in the Portal requires no special feature or additional module.

On the other hand, the retrieval of user data from the Engine makes use of the Web API and thus requires the purchase of the Nexthink Integrate module. In addition, the following conditions apply:

  • The Engines are federated with the Portal.

  • The Web Console in the Portal either trusts the server certificates of the Engines or disables certificate validation for GDPR.

Functions

To help you comply with the regulation, the Web Console includes a GDPR-specific section to let you run specialized scripts that perform the following functions:

Retrieve user data

Article 15 of the GDPR grants data subjects the right to access their personal data. Run the script in this mode to retrieve all the data relative to a particular user or device.

Anonymize user data

Article 17 of the GDPR grants the data subject the right to be forgotten. The script transforms the name of a user or a device to render the personal data unidentifiable.

These functions are available in either the Portal or the Engine databases according to the following table:

FunctionPortalEngine

Retrieve user data

Yes

Yes

Anonymize user data

Yes

No

Retrieving user data

To retrieve user data:

  1. Log in to the Web Console of the primary appliance.

  2. Select the APPLIANCE tab at the top of the Web Console.

  3. Click the GDPR section on the left-hand side menu.

  4. Under Retrieve user data, check either:

    • Username, to retrieve all the data related to a particular user.Type in the name of the user as it appears in either the Finder or the Portal.

    • Device name, to retrieve all the data related to a particular device.Type in the name of the device as it appears in either the Finder or the Portal.

  5. Tick either one or both:

    • Engine data to retrieve user or device data from the federated Engines (requires Nexthink Integrate).

    • Portal data to retrieve user or device data from the Portal.

  6. Click DOWNLOAD DATA.

    1. In the GDPR Retrieve data dialog that shows up, read first the confirmation message about the operation that you are about to make.

    2. Type in the credentials of a Nexthink user with the Data privacy property set to none (full access) so that the user has access to the Web API:

      1. As Username, type in the name of the existing Nexthink user.

      2. As Password, type in the password of the existing Nexthink user.

    3. If you want to retrieve Engine data, ensure that the Engines that hold the user data show up in the Engines List. Remember that you can only retrieve data from federated Engines.

    4. Click CONTINUE.

  7. Wait for the data retrieval to finish.

  8. Optional: Click CLOSE to cancel the data retrieval process.

  9. Once the data retrieval is finished, the download of the file gdpr-data.tar.gz starts automatically.

    • If the download does not start automatically, click the link CLICK HERE.

  10. Click CLOSE.

The downloaded file is the result of compressing a set of CSV files that hold all the recorded activity of the user (if Engine data was retrieved) and the results of metrics that have any information related to the user (if Portal data was retrieved).

Anonymizing user data

To anonymize user data in the Portal:

  1. Log in to the Web Console of the primary appliance.

  2. Select the APPLIANCE tab at the top of the Web Console.

  3. Click the GDPR section on the left-hand side menu.

  4. Under Anonymize user data, check either:

    • Username, to anonymize the data related to a particular user.Type in the name of the user as it appears in either the Finder or the Portal.

    • Device name, to anonymize the data related to a particular device.Type in the name of the device as it appears in either the Finder or the Portal.

  5. Tick Irreversibly anonymize Portal data to confirm your choice.

  6. Click ANONYMIZE DATA.

    1. In the GDPR Anonymize Portal data dialog that shows up, read first the confirmation message about the operation that you are about to make.

    2. Type in the credentials of a Nexthink user with the Data privacy property set to none (full access) so that the user has access to the Web API:

      1. As Username, type in the name of the existing Nexthink user.

      2. As Password, type in the password of the existing Nexthink user.

    3. Click ANONYMIZE.

  7. Wait for the data anonymization to finish.

  8. Optional: Click CLOSE to cancel the data anonymization process.

  9. Once the data anonymization is finished, the user is anonymized in the Portal.

  10. Click CLOSE.

Other mechanisms to comply with GDPR

In addition to the GDPR menu of the Web Console, remember that Nexthink provides you with other mechanisms that can help you comply with the GDPR:

Removal of devices

Helps you comply with the right to erasure by completely removing all the stored information about a particular device from the Engine.

Anonymization in traffic redirection

Helps you comply with the GDPR by removing all the information that can potentially identify a person from the Collector traffic received by the Engine.


RELATED TASK

RELATED REFERENCES

Last updated