gdpr-bg-creative ani-girl-creative disableline ani-icon1 ani-icon2 ani-icon3 ani-icon4 ani-icon5 ani-icon6

Why should I comply
with the GDPR?

Why should I comply with the GDPR?
  • Simplify processes and applications.

    Unifying all your data repositories and having a clear understanding of the type and purpose of data collection will help your organization easily facilitate data access and modification requests and will lead to enhanced security.

  • Gain that competitive edge.

    Businesses that aren't afraid to take the strict measures required to safeguard their customers' and employees' personal information will show that they take data privacy seriously, which will also positively impact customer perception.

  • Bring about a cultural shift.

    Realistically, you won't be able to achieve GDPR compliance in a day. Compliance is a gradual process of improvement that will bring about a culture of "security by design" within your company.

  • 1

    A central repository to store, view, monitor, and analyze log data from various environments.

  • 2

    A real-time alert mechanism to catch suspicious activity taking place within your organization's IT environment.

  • 3

    An auditing system to ensure the integrity, confidentiality, and security of the log data generated by your environment.

  • 4

    The means to secure assets which store personal data in your environment.

  • 5

    A system to create and manage records of all data processed, along with detailed, on-demand reports.

  • 6

    The ability to identify who accesses privileged accounts and sensitive information.

  • 7

    Adequate security and encryption of personal information in transit.

  • 8

    A mechanism for identifying, responding to, and reporting a breach when it occurs.

  • 9

    A monitoring system for assets and systems that carry any form of personal information.

  • 10

    A tool for regularly identifying and securing vulnerabilities that arise in your environment.

How can IT help in
preparing for the GDPR?

With 99 articles to follow, complying with the GDPR is a
multi-step process. Here's a checklist of information technologies that will help get you started.

How can IT help in preparing for the GDPR?
What exactly are the GDPR's articles asking for?

What exactly are the GDPR's
articles asking for?

The GDPR's requirements are long and complex. While there is no single solution that can address the entire regulation, there are many compliance requirements in the GDPR that can be simplified with the right IT tools.

Let's take a look at some of the GDPR’s articles and how our solutions can help you satisfy those requirements.

  • 1. Article 5(1)(b)

    Collect personal data only for specified purposes and do not process the data in any manner that is incompatible with the stated purpose(s).

    Explore Solutions

    1. Article 5(1)(b)

    "[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation ’)."

    How ManageEngine helps you comply

    DataSecurity Plus' access audit reports help you identify anomalous data access, modification, and deletion.

    Send notifications to concerned authorities in case such anomalous activities take place with Log360's prepackaged alert profiles.

    Related products

    Log360 DataSecurity Plus
  • 2.Article 5(1)(c)

    Collect only adequate and relevant personal data that is limited to only what is required for the purposes of processing.

    Explore Solutions

    2.Article 5(1)(c)

    "[Personal data shall be] adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)."

    How ManageEngine helps you comply

    Find and delete junk data including stale, duplicate, and orphaned files, and ensure that only required, relevant data is stored using DataSecurity Plus.

    Related products

    DataSecurity Plus
  • 3.Article 5(1)(d)

    Keep the collected/processed personal data accurate and updated at all times.

    Explore Solutions

    3.Article 5(1)(d)

    "[Personal data shall be] accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)."

    How ManageEngine helps you comply

    Schedule scanning of all devices in your organization using Desktop Central to ensure continuous availability and integrity of personal data.

    Monitor and delete outdated data using file analysis and storage analysis reports in DataSecurity Plus.

    Audit databases with Log360 to determine how long data has been stored and delete personal data as soon as its storage threshold is reached.

    Use Browser Security Plus to scan all browsers being used in all devices in your organization to ensure all around protection of personal data.

  • 4. Article 5(1)(f)

    Process all forms of personal data with the utmost security and prevent unlawful or unauthorized means of processing.

    Explore Solutions

    4. Article 5(1)(f)

    "[Personal data shall be] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

    How ManageEngine helps you comply

    Gain visibility into users/devices trying to access business services and data with Desktop Central's Conditional Exchange Access.

    Log360's predefined alert profiles send stakeholders alerts when unauthorized access attempts are made, and foil such attempts.

    Ensure the integrity of confidential files and folders by using Log360 to generate instant notifications whenever critical file changes happen.

    Use EventLog Analyzer's predefined GDPR report templates to audit all activities happening on systems that store personal data and changes to personal data itself.

    Use EventLog Analyzer to warn data protection officers or security administrators whenever the integrity of personal data is compromised.

    Audit all file and folder actions, track all failed attempts to access critical data, and maintain a foolproof audit trail of all files accesses using DataSecurity Plus.

    Trigger instant email alerts to admins on detecting suspicious file actions with the help of DataSecurity Plus.

    Detect and contain potential ransomware infections instantly to prevent devastating data loss using DataSecurity Plus.

    Detect and prevent the leakage of business-critical files via USB devices or email using DataSecurity Plus.

    Use Patch Manager Plus to mask, remove, and retain PII while scheduling or exporting user reports.

  • 5. Article 5(2)

    Demonstrate compliance with the GDPR's requirements as and when required.

    Explore Solutions

    5. Article 5(2)

    "The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)."

    How ManageEngine helps you comply

    Demonstrate secure processing practices by exporting ADManager Plus' reports in any file format and/or emailing them to stakeholders at specified intervals.

    Prove compliance with various standards by providing forensic investigators with PAM360’s readily available video recordings, out-of-the-box compliance and custom reports, and audit logs on every privileged activity.

  • 6. Article 15 (1)

    Always present your data subjects with the right to obtain information about the kind of personal data being processed and the nature of activities being performed with respect to this personal data.

    Explore Solutions

    6. Article 15 (1)

    "The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

    (a) the purposes of the processing;

    (b) the categories of personal data concerned;

    (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

    (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

    (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

    (f) the right to lodge a complaint with a supervisory authority;

    (g) where the personal data are not collected from the data subject, any available information as to their source;

    (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject."

    Gain visibility into the type of personal data your company holds. Monitor who accesses personal data, including when and where that data is used, with DataSecurity Plus' data discovery capabilities.

    How ManageEngine helps you comply

    Gain visibility into the type of personal data your company holds. Monitor who accesses personal data with DataSecurity Plus' data discovery capabilities.

    DataSecurity Plus' helps you find personal data (PII) of a specific user using regex or by matching a unique keyword, e.g., customer ID, name, etc. across Windows file servers and failover cluster environments.

    Related products

    DataSecurity Plus
  • 7. Article 15 (3)

    Provide data subjects with a copy of all their personal data that has been collected for processing.

    Explore Solutions

    7. Article 15 (3)

    "The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form."

    How ManageEngine helps you comply

    Identify the location where personal/sensitive data is stored to facilitate further processes using DataSecurity Plus.

    Related products

    DataSecurity Plus
  • 8.Article 16

    Give data subjects the option to conveniently rectify or update their personal information.

    Explore Solutions

    8.Article 16

    "The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement."

    How ManageEngine helps you comply

    Keep your inventory of personal data updated with DataSecurity Plus' automated file discovery feature, which scans your entire Windows file system at regular intervals.

    Related products

    DataSecurity Plus
  • 9.Article 17(1)

    If any data subject requests the erasure of their personal data, always have the provision to promptly fulfil their request.

    Explore Solutions

    9.Article 17(1)

    "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

    The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) and where there is no other legal ground for the processing;

    The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

    The personal data have been unlawfully processed;

    the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

    the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

    How ManageEngine helps you comply

    Locate all the files containing instances of the data subject's information by matching keywords for further processes using DataSecurity Plus.

    Related products

    DataSecurity Plus
  • 10. Article 24(1)

    Implement appropriate technical and organizational measures to ensure that processing is performed in accordance with the GDPR.

    Explore Solutions

    10. Article 24(1)

    "Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary."

    How ManageEngine helps you comply

    Desktop Central helps you periodically check if your organization's assets and devices are still compliant with the corporate configurations applied to them.

    Securely distribute sensitive business documents to devices and restrict their availability to authorized individuals and/or applications using Desktop Central.

    Email reports or export them to specified locations in multiple file formats using ADManager Plus to make sure you always have the data you need during investigations and security assessments.

    Related products

    Desktop Central ADManager Plus
  • 11. Article 24(2)

    Implement appropriate data protection policies to protect the PII of data subjects.

    Explore Solutions

    11. Article 24(2)

    "Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller."

    How ManageEngine helps you comply

    Use DataSecurity Plus' predefined policies to help prevent unwarranted data transfers to USB devices, and monitor file integrity.

    Use automated threat response mechanisms to shut down infected systems, disconnect rogue user sessions, and more using DataSecurity Plus.

    Related products

    DataSecurity Plus
  • 12. Article 25(2)

    Personal data should be processed only for the purpose for which it was collected and should not be accessible to those who are not directly involved in these processes.

    Explore Solutions

    12. Article 25(2)

    "The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."

    How ManageEngine helps you comply

    Keep personal and corporate data separate on mobile devices using Desktop Central's containerization feature. Limit organizational access to the corporate workspace only.

    Desktop Central helps you unenroll assets/devices from your organization's network upon user request. Delete all forms of personal data pertaining to a user from your servers and revoke access to that data.

    Prevent unauthorized users from exploiting privileged access to personal data repositories using Password Manager Pro.

    Audit permission change events with ADManager Plus' notification rules to identify illegal or unauthorized permission changes related to personal data.

    Find users with full control access to your Windows shares, and locate all the files and folders that have been shared with everyone using DataSecurity Plus.

    Enable two-factor authentication and access control workflows in PAM360, and leverage its just-in-time privileged access to ensure that only authorized users can remotely access sensitive data for a specific time period.

  • 13. Article 30(1)

    Always maintain records of all processing activities with details about the reason for processing data, categories of data processed, and security measures undertaken during processing.

    Explore Solutions

    13. Article 30(1)

    "Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

    1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

    2. the purposes of the processing;

    3. a description of the categories of data subjects and of the categories of personal data;

    4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

    5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

    6. where possible, the envisaged time limits for erasure of the different categories of data;

    7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1)."

    How ManageEngine helps you comply

    Locate instances of sensitive personal data stored across Windows file servers and failover clusters with DataSecurity Plus dedicated GDPR data discovery policy.

    DataSecurity Plus helps you find who has what permission over files containing sensitive personal data and audits user activity in files with details on who accessed what, when, and from where.

    PAM360 provides context-rich audit logs, out-of-the-box reports, and session recordings of all the activities performed on personal data repositories.

    Maintain and view a record of all processing activities carried out using Patch Manager Plus' Action Log Viewer.

    ADManager Plus helps you get a complete audit trail of all the activities related to personal data taking place in your organization.

    Maintain a record of all processing activities as mandated by the GDPR with Desktop Central's audit log viewer.

    DataSecurity Plus provides easy-to-understand reports on the personal data your company holds, including the type, location, and amount of personal data stored in each file.

  • 14. Article 32(1)(a)

    Ensure the confidentiality of all processing systems and encrypt personal data by implementing appropriate measures.

    Explore Solutions

    14. Article 32(1)(a)

    "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data;"

    How ManageEngine helps you comply

    Key Manager Plus helps you adopt a multi-layered information security approach, secure data in transit, and find easy ways to monitor and manage your public key infrastructure.

    Encrypt personal data stored on mobile devices using Desktop Central.

  • 15. Article 32(1)(b)

    Ensure the availability, confidentiality, and integrity of processing systems and services.

    Explore Solutions

    15. Article 32(1)(b)

    "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;"

    How ManageEngine helps you comply

    Protect and encrypt access to your data subjects' personally identifiable information using Key Manager Plus.

    Continuously monitor and audit the storage systems that store personal data using DataSecurity Plus.

    Watch out for unauthorized access attempts and anomalies in user activities on these systems and services using Log360.

    Audit and send out real-time alerts when any changes to critical resources (such as firewalls, Active Directory, databases, and file servers) are detected using ADAudit Plus.

    Enable authorized users to securely connect to critical remote resources without password exposure, and prevent rogue activities on personal data repositories using PAM360's session shadowing capabilities.

    Use Vulnerability Manager Plus to detect and alert on systems in which BitLocker encryption is not enabled. You can encrypt entire disk volumes to prevent unauthorized access to disks and exfiltration.

  • 16. Article 32(1)(d)

    Regularly test the effectiveness of implemented security measures.

    Explore Solutions

    16. Article 32(1)(d)

    "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

    How ManageEngine helps you comply

    Periodically check if your organization's devices are still compliant with the corporate policies assigned to them using Desktop Central.

    Prevent attackers from exploiting privileged access to collected personal data with Password Manager Pro.

    Ensure the security of processing by watching out for any anomalies that could turn out to be a potential data breach using Log360.

    Audit all activity happening on systems that store personal data and changes to personal data itself with EventLog Analyzer.

    Monitor and audit privileged activities on critical systems that store personal data, and terminate anomalous sessions that exploit personal information using PAM360.

    Constantly observe configuration drifts and misconfigurations in your endpoints with a predefined set of baselines, and bring them under compliance with Vulnerability Manager Plus.

  • 17. Article 32(2)

    Always prepare for risks that may arise during processing activities such as loss, alteration, deletion, and disclosure of personal data, and implement appropriate preventive mechanisms.

    Explore Solutions

    17. Article 32(2)

    "In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed."

    How ManageEngine helps you comply

    Set alerts in case a device does not check in with the server over a predefined period of time using Desktop Central.

    Centralize and correlate security data from different sources with Log360 to identify potential data breaches instantly and avoid data loss.

    Audit changes to personal data (e.g. modification, deletion, renaming, or even permission changes) using Log360.

    Monitor the use of removable storage devices such as USBs, and block the movement of files containing personal data to USB devices or via email as attachment using DataSecurity Plus. You can also provide contextual warnings using system prompts about the risk of moving business-critical data to removable storage devices or via email as attachments.

    Reduce incident response times with instant alerts and an automated threat response mechanism with DataSecurity Plus.

    Use DataSecurity Plus to generate alerts and reports on unwarranted accesses or sudden spikes in file accesses and modifications including permission changes, deletions, and more. Additionally, you can spot files with security vulnerabilities such as files owned by stale users, overexposed fles, files accessible by everyone, etc.

    Maintain a complete record of all file and folder deletion actions, and uncover and quarantine possible ransomware infections using DataSecurity Plus.

    Set alerts in case a device does not check in with the server over a predefined period of time using Patch Manager Plus.

  • 18. Article 32(4)

    Take steps to ensure that nobody exploits or gains unauthorized or unlawful access to personal data.

    Explore Solutions

    18. Article 32(4)

    "The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law."

    How ManageEngine helps you comply

    Manage, monitor, and audit administrative access to systems and applications that handle personally identifiable information using Password Manager Pro.

    Detect when users access personal data without proper permissions using Log360 and ADManager Plus.

    Provide users with granular, time-bound access to sensitive systems and applications via a request-approve-release workflow and just-in-time privileged access capability with PAM360.

    Patch Manager Plus helps you configure role-based access to ensure that authorized personnel can perform only the specific processing activities assigned to them and can view and manage only the devices that are assigned to them.

    O365 Manager Plus' delegation feature can help you establish role-based access control for Office 365 administration to ensure only authorized personnel have access to sensitive data.

  • 19. Article 33

    In case of a personal data breach, inform the supervisory authorities within 72 hours. If the notification is made after 72 hours, send the reason for the delay along with it.

    Explore Solutions

    19. Article 33

    "1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

    2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

    3. Controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article."

    How ManageEngine helps you comply

    Detect any data breach in your network instantly with Log360‘s real-time alerting console and correlation engine.

    Detect and contain known attack patterns such as DoS, DDoS, SQL injections, and ransomware attacks with Log360.

    Use custom correlation rules and alert profiles for detecting unknown attack patterns, keeping personal data safe.

    Log360‘s log search engine can help you perform forensic analysis and determine when a breach occurred, its source, which data and systems were affected, and the responsible parties.

    Record privileged account access and sessions with Password Manager Pro to prepare for forensic audits.

    Export all forensic information and construct incident reports which can be submitted to the concerned authorities using Log360‘s extensive reports.

    DataSecurity Plus helps you analyze the root cause and the scope of a data breach using extensive records on all file and folder related activities in Windows file servers, failover clusters, and workgroup environments along with details on who accessed what, when, and where.

    Provide tamper-proof privileged session recordings and audit trails of every session as security-relevant evidence to support compliance investigations using PAM360 Also, leverage built-in compliance, custom, and query reports to meet compliance requirements.

  • 20. Article 35(7)(d)

    Perform a data protection impact assessment and implement security measures to protect the personal data being processed.

    Explore Solutions

    20. Article 35(7)(d)

    "The assessment shall contain at least

    (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned."

    How ManageEngine helps you comply

    DataSecurity Plus helps you calculate the risk score of files containing personal data by analyzing their permissions, the volume, and the type of rules violated; audit details; and more.

    Identify files that are vulnerable due to permission hygiene issues with DataSecurity Plus.

    Related products

    DataSecurity Plus
        Show me moregdpr loader

        Disclaimer:

        Fully complying with the GDPR requires a variety of solutions, processes, people, and technologies. The solutions mentioned above are some of the ways in which IT management tools can help with some of the GDPR's requirements. Together with other appropriate solutions, processes, and people, ManageEngine's solutions help achieve and sustain GDPR compliance. This material is provided for informational purpose only and should not be considered as legal advice for GDPR compliance. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.

        EnquiryEnquiry
        Thank you for your request!