Viewing compliance reports

BlueXP classification provides reports that you can use to better understand the status of your organization’s data privacy program.

By default, the BlueXP classification dashboards display compliance and governance data for all working environments, databases, and data sources. If you want to view reports that contain data for only some of the working environments, select those working environments.

Note

  • The reports described in this section are available only if you have chosen to perform a full classification scan on your data sources. Data sources that have had a mapping-only scan can only generate the Data Mapping Report.

  • NetApp can’t guarantee 100% accuracy of the personal data and sensitive personal data that BlueXP classification identifies. You should always validate the information by reviewing the data.

Privacy Risk Assessment Report

The Privacy Risk Assessment Report provides an overview of your organization’s privacy risk status, as required by privacy regulations such as GDPR and CCPA. The report includes the following information:

Compliance status

A severity score and the distribution of data, whether it’s non-sensitive, personal, or sensitive personal.

Assessment overview

A breakdown of the types of personal data found, as well as the categories of data.

Data subjects in this assessment

The number of people, by location, for which national identifiers were found.

Generating the Privacy Risk Assessment Report

Go to the Compliance tab to generate the report.

Steps

  1. From the BlueXP menu, click Governance > Classification.

  2. Click Compliance, and then click the download icon next to Privacy Risk Assessment under Reports.

    A screen shot of the Compliance tab in BlueXP that shows the Reports pane where you can click Privacy Risk Assessment.

Result

BlueXP classification generates a PDF report that you can review and send to other groups as needed.

Severity score

BlueXP classification calculates the severity score for the Privacy Risk Assessment Report on the basis of three variables:

  • The percentage of personal data out of all data.

  • The percentage of sensitive personal data out of all data.

  • The percentage of files that include data subjects, determined by national identifiers such as national IDs, Social Security numbers, and tax ID numbers.

The logic used to determine the score is as follows:

Severity score Logic

0

All three variables are exactly 0%

1

One of the variables are larger than 0%

2

One of the variables are larger than 3%

3

Two of the variables are larger than 3%

4

Three of the variables are larger than 3%

5

One of the variables are larger than 6%

6

Two of the variables are larger than 6%

7

Three of the variables are larger than 6%

8

One of the variables are larger than 15%

9

Two of the variables are larger than 15%

10

Three of the variables are larger than 15%

PCI DSS Report

The Payment Card Industry Data Security Standard (PCI DSS) Report can help you identify the distribution of credit card information across your files. The report includes the following information:

Overview

How many files contain credit card information and in which working environments.

Encryption

The percentage of files containing credit card information that are on encrypted or unencrypted working environments. This information is specific to Cloud Volumes ONTAP.

Ransomware Protection

The percentage of files containing credit card information that are on working environments that do or don’t have ransomware protection enabled. This information is specific to Cloud Volumes ONTAP.

Retention

The timeframe in which the files were last modified. This is helpful because you shouldn’t keep credit card information for longer than you need to process it.

Distribution of Credit Card Information

The working environments where the credit card information was found and whether encryption and ransomware protection are enabled.

Generating the PCI DSS Report

Go to the Compliance tab to generate the report.

Steps

  1. From the BlueXP menu, click Governance > Classification.

  2. Click Compliance, and then click the download icon next to PCI DSS Report under Reports.

    A screen shot of the Compliance tab in BlueXP that shows the Reports pane where you can click Privacy Risk Assessment.

Result

BlueXP classification generates a PDF report that you can review and send to other groups as needed.

HIPAA Report

The Health Insurance Portability and Accountability Act (HIPAA) Report can help you identify files containing health information. It is designed to aid in your organization’s requirement to comply with HIPAA data privacy laws. The information BlueXP classification looks for includes:

  • Health reference pattern

  • ICD-10-CM Medical code

  • ICD-9-CM Medical code

  • HR - Health category

  • Health Application Data category

The report includes the following information:

Overview

How many files contain health information and in which working environments.

Encryption

The percentage of files containing health information that are on encrypted or unencrypted working environments. This information is specific to Cloud Volumes ONTAP.

Ransomware Protection

The percentage of files containing health information that are on working environments that do or don’t have ransomware protection enabled. This information is specific to Cloud Volumes ONTAP.

Retention

The timeframe in which the files were last modified. This is helpful because you shouldn’t keep health information for longer than you need to process it.

Distribution of Health Information

The working environments where the health information was found and whether encryption and ransomware protection are enabled.

Generating the HIPAA Report

Go to the Compliance tab to generate the report.

Steps

  1. From the BlueXP menu, click Governance > Classification.

  2. Click Compliance, and then click the download icon next to HIPAA Report under Reports.

    A screen shot of the Compliance tab in BlueXP that shows the Reports pane where you can click HIPAA.

Result

BlueXP classification generates a PDF report that you can review and send to other groups as needed.

What is a Data Subject Access Request?

Privacy regulations such as the European GDPR grant data subjects (such as customers or employees) the right to access their personal data. When a data subject requests this information, this is known as a DSAR (data subject access request). Organizations are required to respond to these requests "without undue delay", and at the latest within one month of receipt.

You can respond to a DSAR by searching for a subject’s full name or known identifier (such as an email address) and then downloading a report. The report is designed to aid in your organization’s requirement to comply with GDPR or similar data privacy laws.

How can BlueXP classification help you respond to a DSAR?

When you perform a data subject search, BlueXP classification finds all of the files, buckets, OneDrive, and SharePoint accounts that have that person’s name or identifier in it. BlueXP classification checks the latest pre-indexed data for the name or identifier. It doesn’t initiate a new scan.

After the search is complete, you can then download the list of files for a Data Subject Access Request report. The report aggregates insights from the data and puts it into legal terms that you can send back to the person.

Note Data subject search is not supported within databases at this time.

Searching for data subjects and downloading reports

Search for the data subject’s full name or known identifier and then download a file list report or DSAR report. You can search by any personal information type.

Note English, German, and Spanish are supported when searching for the names of data subjects. Support for more languages will be added later.
Steps

  1. From the BlueXP menu, click Governance > Classification.

  2. Click Data Subjects.

  3. Search for the data subject’s full name or known identifier.

    Here’s an example that shows a search for the name john doe:

    A screenshot that shows a search for the name "John Doe" for a DSAR.

  4. Choose one of the available options:

    • Download DSAR Report: A formal response to the access request that you can send to the data subject. This report contains automatically-generated information based on data that BlueXP classification found on the data subject and is designed to be used as a template. You should complete the form and review it internally before sending it to the data subject.

    • Investigate Results: A page that enables you to investigate the data by searching, sorting, expanding details for a specific file, and by downloading the file list.

      Note If there are more than 10,000 results, only the top 10,000 appear in the file list.

Selecting the working environments for reports

You can filter the contents of the BlueXP classification Compliance dashboard to see compliance data for all working environments and databases, or for just specific working environments.

When you filter the dashboard, BlueXP classification scopes the compliance data and reports to just those working environments that you selected.

Steps

  1. Click the filter drop-down, select the working environments that you’d like to view data for, and click View.

    A screen shot of selecting the working environments for the reports you want to run.