The European Union General Data Protection Regulation (GDPR) will bring about an unprecedented change for data controllers beginning on May 25, 2018. GDPR is a privacy and data protection regime that will tie together individual, preexisting privacy laws from European Union member states and empower individuals with more control than ever over the usage of their personal data. This includes the right to consent, access, and to be forgotten.
We’ll explore the security features and functionality within ConnectWise Control and how they support specific articles within GDPR. Please be aware that this information is for educational and awareness purposes only, and does not provide, does not constitute, and should not be construed as legal advice.
GDPR compliance will impact technology solution providers around the world. Make sure your business is prepared >>
Consent to Control End-users have to provide explicit consent to share data with companies, per GDPR Articles 7, 18. By unchecking the “HostSessionWithoutConsent” option in host user roles in ConnectWise Control, end-users will have to explicitly give consent before a host can control the user’s device. End-users can also withdraw consent at any time.
Change Desired Server Location One of the guidelines in GDPR details how and where data can be stored. Data must be stored in the EU unless the country the data is being transferred to ensures an adequate level of protection and rights for the EU citizen. If your business is based in the EU, then you’re all set.
ConnectWise Control automatically stores your instance and database in the server closest to your location. If you’re a company that is based outside of the EU, but has offices or clients located in EU member countries, you can easily change the desired location of your ConnectWise Control instance. Once changed, your instance will be migrated to the server closest to the location you chose.
If appropriate, you may consider licensing more than one ConnectWise Control instance. You can then assign one or more instances to a location in the EU to support your European end-users specifically.
Auditing and Logging (Articles 15, 17, 20, 33) Know who accessed what device when. The Audit page allows you to view a log of events, connections, and even videos (if enabled) of all sessions in your ConnectWise Control instance. Administrators are also able to search the database for specific sessions if requested by a client and remove the data if necessary. If there’s ever a question as to who connected to a session and what they did while connected, the Audit Log will have that information.
Database Maintenance Control how much data you store and for how long by editing your database maintenance plan. The Database page allows administrators to set rules and select a schedule for cleaning and maintaining the ConnectWise Control database. Set a plan that makes the most sense for your business and to meet the guidelines set in GDPR.
Limit Access to Data (Article 5, 25, 32) Limit who has access to personal data and who can access certain machines or servers by assigning user roles. Role-based security allows ConnectWise Control administrators to group users into roles for security purposes. Administrators have granular control over the roles, allowing them to set permissions down to who can access what machines, how they can access those devices, and what actions they can perform when connected.
Revoke Access (Article 5, 25, 32, 33) In case of a data breach or suspicious activity, administrators can immediately revoke access to their ConnectWise Control instance, including revoking host passes and all authenticated sessions.
Encryption (Article 5, 32) The ConnectWise Control Relay service is responsible for handling traffic to and from your ConnectWise Control server. All traffic is automatically encrypted with AES-256 block encryption and RSA provided by the Microsoft® RSA/Schannel Cryptographic Provider. These particular implementations of the AES-256 and RSA algorithms have been designated as FIPS compliant for ConnectWise Control servers on Windows.
Disclaimer Please be advised that ConnectWise is not your attorney, and this information is not legal advice. This information does not provide, does not constitute, and should not be construed as, legal advice. It is for educational purposes only and is not to be acted or relied upon as legal advice. Use of this information does not create any attorney-client relationship between you and ConnectWise. The information does not constitute legal advice and is not a substitute for competent legal advice from a licensed attorney representing you in your jurisdiction. Partners should seek advice from their legal counsel to determine your legal obligations.