What is GDPR
In an effort to standardize data protection requirements across Europe, the European Parliament and Council introduced the General Data Protection Regulation (GDPR).
GDPR sets strict rules for protecting the personal data of EU citizens. It applies to all forms of processing including in the context of marketing, employment, information security, customer service, business-to-business sales, as well as e-commerce.
This new regulation affects nearly every organization that does online business with Europeans, regardless of geographic location. That is if you are for example a US company, but you store and process the personal data of EU citizens, the GDPR concerns you as well.
Another note is that for the time being, the UK is still going to operate under GDPR. This means companies that do online business in the UK must protect the personal data of UK citizens within the requirements of GDPR.
HarePoint Analytics in terms of GDPR
The very first and important thing to note is that HarePoint Analytics for SharePoint does not request or obtain any new personal data from SharePoint users. Being a product that is fully integrated with SharePoint, HarePoint Analytics only takes the existing personal data that are already stored in SharePoint or in AD and then stores them in its local SQL database, basically copying data from one place to another within the same environment. In many cases, this even happens within the same SQL server.
These data are never (and technically cannot be) transferred to any 3rd parties and never leave your company. That is, the personal data used by HarePoint Analytics are secure as much as your SQL servers are secure. In turn, ensuring the security of SQL servers is already a task for a technical team as part of the preparation to the GDPR compliance, so that specifically HarePoint Analytics does not add any extra layers to this process.
Regarding the reports that HarePoint Analytics provides and the personal data that these reports may expose, it is important to note that the product has very flexible policies that allow hiding or anonymizing certain personal data that need to be protected as per GDPR or even beyond. This can be arranged in a way that sensitive personal data are visible only to specific user groups or even to only a few people in a company:
Figure 1: “Users Activity” report with visible personal data (user names)
Figure 2: The same “Users Activity” report with encryption of personal data enabled.
Moreover, HarePoint Analytics provides an opportunity to encrypt personal data on the fly at the stage of data collection and then store them in its SQL database in an encrypted way, using irreversible encryption algorithms. This ensures the personal data cannot be retrieved even if direct database querying will be attempted. This approach is suitable for cases where such level of protection may be preferred or required.