Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
What is an Agent?What is a Policy?Working with Agents - OverviewWorking with Policies - OverviewHow to Assign a PolicyHow to Bulk Assign a PolicyHow to Assign Tags to an AgentHow to Remove an AgentHow to Bulk Assign Watcher PolicyHow to Work with Activity Watcher Policies
How to Create a Policy
How to Create a New Policy Using the Create Policy WizardAbout Results Storage ModeHow to Create a Policy Using the Wizard - Agent Operations - Advanced OptionsHow to Create a Policy Using the Wizard - Additional SettingsHow to Create a Policy Using the Wizard - Additional Settings - Advanced OptionsHow to Create a Policy Using the Wizard - Local Reporting OptionsWhat Log Settings can affect the HIPAA Audit Trail?How to Create a Policy Using the Wizard - Local Logging OptionsHow to Create a Policy Using the Wizard - Local Logging - Advanced OptionsWhat settings in Spirion Sensitive Data Platform impact HIPAA compliance?What Log Settings can affect the GDPR Audit Trail?What settings in Spirion Sensitive Data Platform impact GDPR Compliance?Can Spirion Sensitive Data Platform integrate with SIEM for Audit Log Management?How do I Configure Agent-side Masking for GDPR?What Log Settings can Affect the PCI DSS Audit Trail?What Log Settings can Affect the FERPA Audit Trail?What Log settings can Affect the CMMC audit trail?What Log Settings can Affect the NIST Audit Trail?
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

What settings in Spirion Sensitive Data Platform impact GDPR Compliance?

In Spirion Sensitive Data Platform (SDP), settings that impact GDPR (General Data Protection Regulation) compliance focus on the broad identification of "personal data," the operationalization of data subject rights (like the Right to Erasure), and the continuous monitoring of data processing activities.

GDPR requires organizations to protect the personal data of EU residents and maintain a detailed inventory of processing activities (Article 30).

1. Broad Personal Data Discovery (AnyFind® & Sensitive Data Engine)

GDPR defines "personal data" very broadly. To comply, you must enable a wide range of data types:

  • Standard Identifiers: Enable AnyFind® for Name, Email Address, Phone Number, Physical Address, and IP Address.
  • Special Categories (Article 9): Enable discovery for "sensitive personal data," including Health Info, Religious Affiliation, and Political Opinions (often found via custom keyword lists in the Sensitive Data Engine).
  • Custom Identifiers: Use the Sensitive Data Engine to create patterns for EU-specific identifiers like VAT numbers, National ID numbers (e.g., French NIR or Spanish DNI), and Passport numbers.

2. Persistent Data Classification

Article 5 of the GDPR requires data to be processed in a way that ensures appropriate security.

  • Metadata Tagging: Configure Spirion to apply persistent classification labels directly to file metadata. This ensures that even if a file is moved, its "GDPR Sensitive" status follows it, allowing other security tools (like DLP or CASB) to enforce access controls.
  • Visual Markers: For user awareness, enable visual markers (like headers or footers) that inform employees when they are working with protected personal data.

3. Data Subject Access Requests (DSAR) & Right to Erasure

GDPR grants individuals the right to access their data and the "Right to be Forgotten" (Article 17).

  • Search by Subject: Use Spirion's search capabilities to locate all instances of a specific individual's data across the entire enterprise (endpoints, cloud, and databases) to fulfill a DSAR.
  • Automated Erasure: Use Remediation settings (Shred/Delete) to completely and defensibly erase a data subject's information upon request, providing an auditable trail of the action.

4. Data Minimization & Retention (Playbooks)

Article 5(1)(c) requires that personal data be "adequate, relevant and limited to what is necessary."

  • Defensible Deletion: Use Playbooks to automatically identify and shred personal data that has exceeded its defined retention period.
  • Duplicate Removal: Configure scans to find and remove redundant copies of personal data, reducing the organization's overall risk surface.

5. Continuous Monitoring (Sensitive Data Watcher™)

GDPR requires "privacy by design and by default" and rapid breach notification (Article 33).

  • Real-Time Detection: Enable Sensitive Data Watcher™ to monitor file systems in real-time. If an employee saves a new file containing personal data to an insecure location, Spirion can instantly classify, report, or remediate it.
  • Breach Impact Analysis: In the event of a security incident, use Spirion's historical reports to quickly determine exactly what personal data was on the affected systems, facilitating the 72-hour notification requirement.

6. Agent-Side Masking (Privacy by Design)

To minimize the amount of personal data stored within the Spirion platform itself:

  • Pre-Shipping Redaction: Configure agents to mask/redact personal data matches before they are sent to the SaaS console. This ensures the console acts as a "map" of where data is, rather than a "repository" of the data itself.

Recommendations for GDPR

  • Map Your Data Geographically: Use Spirion to identify where personal data is stored and ensure it aligns with GDPR's cross-border data transfer rules.
  • Empower the DPO: Provide your Data Protection Officer (DPO) with a dedicated Console Profile (RBAC) so they can independently audit the organization's data footprint and compliance progress.
  • Focus on Unstructured Data: GDPR risk is highest in "dark data" (emails, PDFs, and spreadsheets). Prioritize these targets to find the personal data that traditional database security tools miss.

Summary

Spirion Sensitive Data Platform supports GDPR compliance by providing the accuracy to inventory broad categories of personal data, the automation to enforce data subject rights and retention policies, and the visibility to monitor data processing in real-time. These settings enable organizations to move from manual spreadsheets to a dynamic, auditable data privacy program.

Was this article helpful?

Powered by Product Fruits