Overview
The General Data Protection Regulation (GDPR) is a regulation enacted to strengthen data privacy for all individuals within the European Union (EU). All organizations that process personal data of individuals in the EU are required to comply with GDPR.
CrashPlan users have substantial amounts of business-critical data on their devices, often including personal data. CrashPlan will comply with its requirements under GDPR. In addition, CrashPlan's product features can help your organization comply with its own compliance obligations under GDPR.
This article describes:
- CrashPlan's compliance with GDPR
- CrashPlan Cloud, and other plans features that support compliance
The GDPR sections in this article can help you develop a compliance plan, but are not an exhaustive list of things to consider.
Compliance is your responsibility
CrashPlan provides features you can use to meet your obligations under GDPR, but CrashPlan cannot dictate if and how you comply. It is your responsibility to develop the plan, methods, and procedures you will follow to be in compliance with GDPR.
Considerations
- GDPR is effective as of 25 May 2018.
- GDPR applies to both EU and non-EU companies if they process personal data about EU individuals.
- Not all organizations include endpoints in their GDPR compliance strategy.
Data Processing Addendum (DPA)
CrashPlan's Master Services Agreement incorporates a Data Processing Addendum (DPA) that provides contractual commitments CrashPlan customers need to meet their GDPR requirements.
CrashPlan's compliance with GDPR
GDPR sets forth baseline data-protection requirements for organizations that process and move the personal data of individuals in the EU. Organizations subject to GDPR must ensure that any service providers that process personal information of EU individuals meet specific requirements.
CrashPlan will comply with its requirements under GDPR. As part of our compliance, CrashPlan:
- Implements technical and organizational measures to ensure personal data is protected.
- Provides timely data-breach notifications to customers.
- Transfers personal data outside the EU only if there is a lawful transfer mechanism in place with the organization receiving the data. This ensures adequate protection of the personal data being transferred.
For complete information about how CrashPlan handles your personal data, see the CrashPlan Privacy Statement.
CrashPlan features to help you comply with GDPR
Data protection and recovery features
The following CrashPlan features enable data protection and recovery.
Relevant GDPR information
- Article 5: "Principles relating to processing of personal data"
- Article 25: "Data protection by design and by default"
- Article 32: "Security of processing"
Protect data from loss
Every file in user directories on all devices are backed up every 15 minutes (CrashPlan for Enterprise) or 30 minutes (CrashPlan for Small Business) by default per file retention settings, allowing for robust data recovery.
Keep data secure
All data transferred to CrashPlan is encrypted at rest and in transit and is not processed by CrashPlan for any purpose other than as agreed upon for the provision of our products and services.
Recover data
CrashPlan allows users to recover their files in the event of data loss arising from events such as a stolen device or ransomware.
Data viewing features
The following CrashPlan features provide your compliance officer with information about the data retained and allow your organization to comply with reporting requirements in the event of a data breach.
Relevant GDPR information
- Article 35: "Data protection impact assessment"
- Article 33: "Notification of a personal data breach to the supervisory authority"
- Article 34: "Communication of a personal data breach to the data subject"
See data on devices
Because files on user devices are retained in archives, an administrator can download files from the archives and examine them with forensic tools as part of compliance efforts.
Report on data breaches
Use CrashPlan for Enterprise reporting features as part of your analysis and required reporting in the event of data breaches.
Features to assist with "right to erasure" requests
A provision of GDPR is the "right to erasure." If you receive requests from individuals who want their personal data "to be forgotten," you should be able to identify those individuals' personal data in your system, verify whether or not proper consent was obtained to collect the data, and be able to remove the data from any backups.
Keep in mind that:
- EU individuals may have a "right to be forgotten" by any company that has their personal data, including companies outside of the EU.
- Companies that have EU personal data should be prepared to respond to a request of disclosure of stored personal data, and possible deletion of that data, within 30 days.
Relevant GDPR information
Article 17: "Right to erasure (‘right to be forgotten’)"
Exclude files from backup
An administrator can exclude files from backup that contain personal data. Excluded files are removed from backup archives the next time archive maintenance is run.
Allow users to remove their files from backups
Under GDPR, users own their personal information and can choose whether that information should be removed from CrashPlan backups. CrashPlan app users can delete files containing personal data from their backup archives if a CrashPlan administrator allows it and does not lock backup settings.
Additional resources
- If you are new to CrashPlan, contact our sales team to get started.
- If you already have a CrashPlan for Enterprise deployment, contact sales to engage your CrashPlan Professional Services representative.
- Additional information on the General Data Protection Regulation (GDPR) can be found at: