Incydr and GDPR compliance

Updated July 08, 2025 19:14

Overview

The General Data Protection Regulation (GDPR) is a regulation enacted to strengthen data privacy for all individuals within the European Union (EU). All organizations that process personal data of individuals in the EU are required to comply with GDPR.

Incydr users can have substantial amounts of business-critical data on their devices, often including personal data. Incydr will comply with its requirements under GDPR. In addition, Incydr's product features can help your organization comply with its own compliance obligations under GDPR.

This article describes:

Incydr's compliance with GDPR
Insider risk agent features that support compliance
Backup agent features that support compliance

The GDPR sections in this article can help you develop a compliance plan, but are not an exhaustive list of things to consider.

Compliance is your responsibility
Incydr provides features you can use to meet your obligations under GDPR, but Incydr cannot dictate if and how you comply. It is your responsibility to develop the plan, methods, and procedures you will follow to be in compliance with GDPR.

Considerations

GDPR is effective as of 25 May 2018.
GDPR applies to both EU and non-EU companies if they process personal data about EU individuals.
Not all organizations include endpoints in their GDPR compliance strategy.

Data Processing Addendum (DPA)
Your Master Services Agreement incorporates a Data Processing Addendum (DPA) that provides contractual commitments Incydr customers need to meet their GDPR requirements.

Compliance with GDPR

GDPR sets forth baseline data-protection requirements for organizations that process and move the personal data of individuals in the EU. Organizations subject to GDPR must ensure that any service providers that process personal information of EU individuals meet specific requirements.

Incydr will comply with its requirements under GDPR. As part of our compliance, Incydr:

Implements technical and organizational measures to ensure personal data is protected.
Provides timely data-breach notifications to customers.
Transfers personal data outside the EU only if there is a lawful transfer mechanism in place with the organization receiving the data. This ensures adequate protection of the personal data being transferred.

For complete information about how Incydr handles your personal data, see our Privacy Statement.

Insider risk agent features to help you comply with GDPR

Data protection and recovery features

The following Incydr features enable data protection and recovery.

Relevant GDPR information

Article 5: "Principles relating to processing of personal data"
Article 25: "Data protection by design and by default"
Article 32: "Security of processing"

Keep data secure

All data transferred to Incydr is encrypted at rest and in transit and is not processed by Incydr for any purpose other than as agreed upon for the provision of our products and services.

Recover data

Because Incydr stores exfiltrated files in the cloud, an administrator can use Forensic Search to download files and examine them with forensic tools as part of compliance efforts.

Data viewing features

The following Incydr features provide your compliance officer with information about the data retained and allow your organization to comply with reporting requirements in the event of a data breach.

Relevant GDPR information

Article 35: "Data protection impact assessment"
Article 33: "Notification of a personal data breach to the supervisory authority"
Article 34: "Communication of a personal data breach to the data subject"

Monitor data flow

Monitor for high-risk behavior by configuring Incydr alerts and messages for high-risk data transfers to cloud storage, removable media, ZIP files, and more.

Report on data breaches

Use Incydr's Cases feature to compile and retain evidence in the event of a data breach.

Backup agent features to help you comply with GDPR

Data protection and recovery features

The following backup add-on features enable data protection and recovery.

Relevant GDPR information

Article 5: "Principles relating to processing of personal data"
Article 25: "Data protection by design and by default"
Article 32: "Security of processing"

Protect data from loss

Every file in user directories on all devices are backed up every 30 minutes by default per file retention settings, allowing for robust data recovery.

Keep data secure

All data transferred to Incydr is encrypted at rest and in transit and is not processed by Incydr for any purpose other than as agreed upon for the provision of our products and services.

Recover data

The backup add-on allows users to recover their files in the event of data loss arising from events such as a stolen device or ransomware.

Data viewing features

The following features provide your compliance officer with information about the data retained and allow your organization to comply with reporting requirements in the event of a data breach.

Relevant GDPR information

Article 35: "Data protection impact assessment"
Article 33: "Notification of a personal data breach to the supervisory authority"
Article 34: "Communication of a personal data breach to the data subject"

See data on devices

Because files on user devices are retained in archives, an administrator can download files from the archives and examine them with forensic tools as part of compliance efforts.

Report on data breaches

Use reporting features as part of your analysis and required reporting in the event of data breaches.

Features to assist with "right to erasure" requests

A provision of GDPR is the "right to erasure." If you receive requests from individuals who want their personal data "to be forgotten," you should be able to identify those individuals' personal data in your system, verify whether or not proper consent was obtained to collect the data, and be able to remove the data from any backups.

Keep in mind that:

EU individuals may have a "right to be forgotten" by any company that has their personal data, including companies outside of the EU.
Companies that have EU personal data should be prepared to respond to a request of disclosure of stored personal data, and possible deletion of that data, within 30 days.

Relevant GDPR information
Article 17: "Right to erasure (‘right to be forgotten’)"

Exclude files from backup

An administrator can exclude files from backup that contain personal data. Excluded files are removed from backup archives the next time archive maintenance is run.

Allow users to remove their files from backups

Under GDPR, users own their personal information and can choose whether that information should be removed from backups. Backup agent users can delete files containing personal data from their backup archives if an administrator allows it and does not lock backup settings.

Additional resources

If you are new to Incydr, contact our sales team to get started.
If you already have an Incydr deployment, contact sales to engage your Professional Services representative if you have questions on how to use Incydr to help meet your GDPR compliance needs.
Additional information on the General Data Protection Regulation (GDPR) can be found at:

Incydr and GDPR compliance

Overview

Considerations

Compliance with GDPR

Insider risk agent features to help you comply with GDPR

Data protection and recovery features

Keep data secure

Recover data

Data viewing features

Monitor data flow

Report on data breaches

Backup agent features to help you comply with GDPR

Data protection and recovery features

Protect data from loss

Keep data secure

Recover data

Data viewing features

See data on devices

Report on data breaches

Features to assist with "right to erasure" requests

Exclude files from backup

Allow users to remove their files from backups

Additional resources

Related topics

Comments