General Information
GDPR compliance is a shared challenge by companies and state-owned organizations. Nextcloud offers a number of features in order to help customers meet the strict requirements.
Some of the below features are available as Apps. If you'd like to use them, please, consult your provider of App availability on your Nextcloud version. We are happy to help.
In a Nutshell
GDPR requirements
Security and Encryption
The GDPR requires organizations to ensure adequate protection for private data, from encryption to clear and well implemented security practices.
Availability and access
Private users have a right to demand a full overview of what data is collected, including an export of what an organization has on them.
Transparency and auditability
Upon request, an organization has to be able to show what they do with user data, who has (had) access and they must be able to modify or delete any data they have on private individuals.
In order to fulfill the above we recommend the following apps and settings.
Security
Enforce strong password policy
The default settings are the following:
We recommend setting the policy according to the below principals:
- Minimum password length: 8
- User password history: 12
- Number of days until user password expires: 30
- Number of login attempts before the user account is blocked: 10
- And enable the following:
-
-
- Forbid common passwords
- Enforce upper and lower case characters
- Enforce numeric characters
- Enforce special characters
-
Dual factor authentication
This feature is not flexible in terms of how many devices can be added as a 2nd factor. Turn it on only after consulting with your administrator.
Encryption
Server side encryption means that a master key is generated on the server which will encrypt all uploaded files from the time of the service being turned on.
For more information about server side encryption, consult the official Nextcloud documentation.
Availability and Access
To review how to meet this requirement check our Activity log and Data request articles.
Transparency and auditability
To review how to meet this requirement check our User account deletion and Terms of Service articles.
Add a link to your Privacy Policy and Legal Notice.
This will be visible on the logon screen.
Please, note that this guide is offered "as is". We strongly advice that all of our customers should consult a GDPR expert to review their own unique needs! When the requirements are clear, we are happy to help to implement them from the technical side.
No Comments