Skip to content
English
Submit a support ticket
  • There are no suggestions because the search field is empty.

Handling Personal Data in Exported Reports from Impero

This guidance outlines important considerations when exporting data from Impero that may contain personal or sensitive information.

When you export data from Impero (for example Reports, Activities, Evidence, or Audit trail logs), the exported file may contain personal data, such as:

  • user names and email addresses,
  • roles and responsibilities,
  • comments and free-text fields,
  • timestamps and activity history.

Once data is exported, it is no longer protected by Impero’s access controls.
You are responsible for handling exported files in accordance with your organisation’s policies and applicable data protection requirements.

Before you export

Before exporting, consider:

  • Do you need personal data in the export, or can the report be used without it?
  • Can the purpose be fulfilled with a limited date range, fewer fields, or fewer users?

Only export what is necessary for your task (e.g. audit documentation, management reporting).

Secure storage of exported files

Store exported files containing personal data only in approved and secure locations, such as:

  • company-controlled drives,
  • approved document management systems,
  • encrypted storage solutions.

Avoid storing exported reports:

  • on personal devices,
  • in unsecured folders,
  • in shared locations without access restrictions.

Access control and internal sharing

Limit access to exported reports to authorised users with a legitimate need to know.

When sharing internally:

  • confirm recipients are authorised,
  • avoid forwarding files unnecessarily,
  • consider removing or anonymising personal data if it is not required.

External sharing

If exported reports are shared outside your organisation (e.g. with auditors or regulators):

  • use secure file transfer methods,
  • avoid public links or unrestricted access,
  • share only the data required for the specific purpose.

Retention and deletion

Keep exported files only for as long as necessary to fulfil their purpose.

When the report is no longer needed:

  • delete it in accordance with your organisation’s retention policy,
  • ensure deletion includes local copies, email attachments, and shared folders.

Security incidents

If an exported report from Impero:

  • is lost,
  • is shared with unauthorised recipients, or
  • is accessed by someone who should not have access,

follow your organisation’s incident response procedures and report the issue immediately.

Roles and responsibility

Your organisation is the data controller for personal data processed in Impero.
Impero processes personal data on your organisation’s instructions.

Responsibility for personal data in exported reports lies with your organisation and its users.