With the Commvault software, your business can comply with the requirements of the General Data Protection Regulation (GDPR).
Note: To use the Activate feature, contact your Commvault account representative.
What Is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation that provides stronger data protections for individuals living within the European Union (EU). The GDPR went into effect on May 25, 2018. Afterwards, any organization that processes or manages data of EU residents, also called data subjects, must comply with the GDPR or face audits and possible fines.
Which Commvault Products Support GDPR Compliance?
The following Commvault products and tools support compliance with GDPR:
GDPR Support with Activate
The Activate suite of solutions allows data processors to monitor the data in their environment and to manage data request from end-users. Activate is included in the Command Center. For more information, see Setting Up Compliance Apps.
GDPR Sample Reports from Commvault
For examples of how Commvault provides insight into your organization's potential risk for exposure under GDPR, see the GDPR-specific reports provided in the Commvault Store.
For more information about Commvault solutions for GDPR, see GDPR Compliance on the Commvault corporate website.
How Can Commvault Products Help Organizations Comply with GDPR?
The GDPR outlines specific requirements regarding how organizations handle EU residents' personal data and data privacy. Commvault provides features to meet many of the obligations required by the regulation. These features are supported by the underlying framework of the Commvault software, called ContentStore.
Additional Products and Features that Support GDPR Compliance
The following list contains several Commvault products and features that most directly support compliance with the GDPR:
CommServe Software and ContentStore
The CommServe software is designed for managing and protecting end-user data and data privacy. The framework that supports all of the products and features, called the ContentStore, was designed to unify data management operations and allow organizations to have better, more seamless control of their data from a variety of interfaces.
The Web Console allows end-users to access and manage their data that has been backed up using ContentStore. From the Web Console interface, users can search and download their data directly from ContentStore. Administrators can also configure Web Console to enable end-users to delete any of their data backed up from ContentStore.
Content Analyzer is the engine that performs named entity extraction on data objects in ContentStore or Data Cube. Named entities can include personally identifiable information (PII), such as national identification numbers, credit card numbers, phone numbers, email addresses, and more. The Content Analyzer package includes several built-in types of named entities that are commonly considered PII. You can also create custom named entities based on regular expressions and incorporate these custom entities in your business workflow.
Data Cube enables you to connect different data repositories in your IT infrastructure into a single interface. Data Cube includes several native connectors for a variety of common sources of data, including databases, file shares, websites, popular customer relationship management platforms like SalesForce, and more. Data Cube is also fully integrated with Content Analyzer to provide seamless discovery of personally identifiable information (PII) in your data sources. Data Cube comes with a built-in report that allows you to view and assess the potential level of PII exposure in your data sources.
Content Indexing and Compliance Search
Compliance Search is a search interface that enables you to query all of your documents in ContentStore and discover data objects that require attention. The advanced search options and faceted search capabilities make Compliance Search a powerful tool for complying with legal requests for information or eDiscovery. You can also search for the named entities discovered using Content Analyzer directly from Compliance Search for easier identification of personally identifiable information (PII).
Delete Backup and Archived Data
Under the GDPR, individuals have the right to delete their personal data from operators or third-party repositories under certain circumstances. With Commvault, administrators can delete data from backup or archival media to comply with such requests. You can also configure the software to enable end-users to delete their own data directly from the Web Console.
Rights of Data Subjects Under GDPR
The following table outlines which Commvault products and features can help your organization meet the requirements of the GDPR, including the data rights of EU residents under the new regulation:
If an EU residents' personal data becomes compromised because of a data breach, organizations are obliged to notify the affected individuals within 72 hours.
Compliance Search enables you to search all of your documents in ContentStore to discover any data objects that require attention. ##_DATA_CUBE_## extends this functionality to different data repositories in your environment.
The alerts features built-in to the CommServe software alert administrators to data activity in ContentStore. Administrators can also monitor data operations at a granular level using the Audit Trail feature in the CommServe software.
The security features included with Edge endpoints solutions, including DLP, Secure Erase, and laptop backups and restores enable you to perform impact assessments of endpoint assets that can become lost or stolen.
Right to Access
EU residents have the right to know whether or not their personal data is being processed by an organization and for what purpose. Furthermore, the organization must be able to provide an electronic copy of the data upon request.
Content Analyzer identifies personal information within the contents of data managed by ContentStore. You can use the Compliance Search interface or Data Cube to discover and report personally identifiable information (PII) belonging to data subjects.
Right to Be Forgotten
An EU resident can request an organization to delete their personal data if the data is no longer relevant to its original purpose or if the resident wishes to withdrawn their consent to allow the organization to process their data. The right extends to possible third-parties to the organization that might be in possession of the personal data.
The CommServe software supports deleting data from ContentStore. Administrators can browse or search the data in ContentStore and remove it from the backup or archival media with a simple delete operation.
EU residents have the right to receive their data that is being processed by an organization in a convenient format. They also have the right to transfer the personal data elsewhere.
Web Console enables end-users to access their data in ContentStore and download any backed up data to their computer. Compliance Search extends this functionality to the enterprise level and enables exporting data in a variety of formats.
Privacy by Design
Organizations that process EU residents' data must plan for data privacy at the beginning of all design projects. In other words, the requirements of the GDPR must not be an afterthought for organization. Organizations must only process the data that is essential to the organization's tasks.
ContentStore is the framework that supports all of the products and features of the Commvault platform. ContentStore was built with the goal of data management, user privacy, and other GDPR stipulations in mind. The core operations provided by ContentStore include data backup, diverse restore functionalities, and user security.
European Commission GDPR Website
For more information about the GDPR itself, see the European Commission's website for data protection.