Cyber Essential

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that strictly governs the ways in which organizations collect, manage, and store personal data.

The GDPR aims to give EU citizens control over how and why their personal data is used, and to standardize data privacy regulations across the EU. However, it is important to note that if your organization handles data belonging to EU or European Economic Area (EEA) data subjects you must comply with the GDPR, regardless of where your company is located.

Why should you comply
with the GDPR?

While organizations are fixated on the stringent punitive aspects of the GDPR, it is easy to miss the benefits that complying with the GDPR will bring to your business.

Simplify processes
and applications

Unifying all your data repositories and having a clear understanding about the type and purpose of data collection will help your organization streamline data access and modification requests, leading to enhanced security.

Gain that
competitive edge

Implementing strict measures to safeguard personal information shows the importance placed on data privacy and will improve customer trust.

Bring about
a cultural shift

Compliance is a gradual process of improvement that will bring about a culture of “security by design” within your company.

How can IT help in
complying with the GDPR?

With 99 articles to follow, complying with the GDPR is a multi-step process. Here’s an IT checklist that will help get you started.

01 A central repository to store, view, monitor, and analyze log data from various environments
02 A real-time alert mechanism to catch suspicious activity taking place within your organization’s IT environment
03 An auditing system to ensure the integrity, confidentiality, and security of the log data generated by your environment
04 The means to secure assets which store personal data in your environment
05 A system to create and manage records of all data processed, along with detailed, on-demand reports
06 The ability to identify who accesses privileged accounts and sensitive information
07 Adequate security and encryption of personal information in transit
08 A mechanism for identifying, responding to, and reporting a breach when it occurs
09 A monitoring system for assets and systems that carry any form of personal information
10 A tool for regularly identifying and securing vulnerabilities that arise in your environment

How can you
comply with the GDPR?

  • Article 5
  • Article 15
  • Article 16
  • Article 17
  • Article 24
  • Article 25
  • Article 30
  • Article 32
  • Article 33
  • Article 35

Article 5

Principles relating to processing of personal data

Article 5(1)(b)

Collect personal data only for specified purposes and do not process the data in any manner that is incompatible with the stated purpose(s).

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Identify anomalous data access, collection, modification, and deletion.
Log360
  • Send notifications to concerned authorities in case of anomalous activities.
Endpoint DLP Plus
  • Leverage extensive records on access and transfer events involving sensitive information for auditing.

Article 5(1)(c)

Collect only adequate and relevant personal data that is limited to only what is required for the purposes of processing.

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Find and delete junk data, including stale, duplicate, and orphaned files.

Article 5(1)(d)

Keep the collected/processed personal data accurate and updated at all times.

ManageEngine solutions to help you comply:

Endpoint Central
  • Schedule device scans to ensure the availability and integrity of personal data.
DataSecurity Plus
  • Monitor and delete outdated or incorrect data.
Log360
  • Audit databases to determine how long data has been stored, and delete personal data once the storage threshold is reached.
Browser Security Plus
  • Scan active browsers to ensure protection of personal data.
Endpoint DLP Plus
  • Gather information on data subjects quickly for modification or deletion upon request.

Article 5(1)(f)

Process all forms of personal data with the utmost security and prevent unlawful or unauthorized means of processing.

ManageEngine solutions to help you comply:

Endpoint Central
  • Gain visibility into users or devices trying to access business services and data.
Log360
  • Send alerts when unauthorized access attempts are made.
  • Generate instant notifications whenever critical file changes happen.
EventLog Analyzer
  • Audit all activities on systems that store personal data and changes to personal data itself.
  • Warn data protection officers or security administrators whenever the integrity of personal data is compromised.
DataSecurity Plus
  • Audit file and folder actions, and maintain an audit trail of file accesses. Trigger instant email alerts to admins on detecting suspicious file actions.
  • Detect and contain ransomware infections instantly to prevent data loss.
  • Detect and prevent the leakage of business-critical files via USB devices or email.
Patch Manager Plus
  • Mask, remove, and retain PII while scheduling or exporting user reports.
Endpoint DLP Plus
  • Limit data access to essential and relevant personnel based on security clearance and task-specific needs.

Article 5(2)

Demonstrate compliance with the GDPR's requirements as and when required.

ManageEngine solutions to help you comply:

ADManager Plus
  • Export reports in any file format and/or email them to stakeholders at specified intervals.
PAM360
  • Provide video recordings, custom reports, and audit logs on every privileged activity.

Article 15

Right of access by the data subject

Article 15(1)

Always present your data subjects with the right to obtain information about the kind of personal data being processed and the nature of activities being performed with respect to this personal data.

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Monitor who accesses personal data, including when and where the data is used.
  • Find the personal data of users across Windows file servers and failover cluster environments.
Endpoint DLP Plus
  • Uncover personal data whereabouts and the relationship between data and the corresponding sources, systems, and users.

Article 15(3)

Provide data subjects with a copy of all their personal data that has been collected for processing.

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Identify the location where personal or sensitive data is stored to facilitate further processes.
Endpoint DLP Plus
  • Scan endpoints within your network to find the whereabouts of all sensitive items of any data subject.

Article 16

Right to rectification

Article 16

Give data subjects the option to conveniently rectify or update their personal information.

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Keep your inventory of personal data updated by scanning your Windows file system at regular intervals.
Endpoint DLP Plus
  • Scan, discover, and retrieve personal data, enabling prompt changes upon the request of data subjects.

Article 17

Right to erasure (‘right to be forgotten’)

Article 17

If any data subject requests the erasure of their personal data, always have the provision to fulfill their request promptly.

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Locate files containing the data subject's information for further processes.
Endpoint DLP Plus
  • Retrieve information on data subjects quickly to facilitate data erasure without delay.

Article 24

Responsibility of the controller

Article 24(1)

Implement appropriate technical and organizational measures to ensure that processing is performed in accordance with the GDPR.

ManageEngine solutions to help you comply:

Endpoint Central
  • Check periodically if your organization's assets are still compliant with corporate configurations.
  • Securely distribute sensitive business documents to authorized individuals and applications.
ADManager Plus
  • Email reports or export them when required for security assessments and investigations.
Endpoint DLP Plus
  • Generate extensive reports with actionable insights for auditing sensitive information and policies applied to it.

Article 24(2)

Implement appropriate data protection policies to protect the PII of data subjects.

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Prevent unwarranted data transfers to USB devices with predefined policies.
  • Use automated threat response mechanisms to shut down infected systems and disconnect rogue user sessions.
Endpoint DLP Plus
  • Configure policies to restrict the movement of sensitive data to peripheral devices or via web postings or email attachments.

Article 25

Data protection by design and by default

Article 25(2)

Personal data should be processed only for the purpose for which it was collected and should not be accessible to those who are not directly involved in these processes.

ManageEngine solutions to help you comply:

Endpoint Central
  • Keep personal and corporate data separate on mobile devices.
  • Delete the personal data of users from your servers and revoke access to that data.
Password Manager Pro
  • Prevent unauthorized users from exploiting privileged access to personal data repositories.
ADManager Plus
  • Audit permission change events to identify unauthorized permission changes related to personal data.
DataSecurity Plus
  • Find users with full control access to your Windows shares, and locate all the files and folders shared with everyone.
PAM360
  • Ensure that only authorized users can remotely access sensitive data for a specific time period.

Article 30

Records of processing activities

Article 30(1)

Always maintain records of all processing activities with details about the reason for processing data, categories of data processed, and security measures undertaken during processing.

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Locate instances of sensitive personal data stored across Windows file servers and failover clusters.
  • Uncover user permission over files containing sensitive personal data, and audit user activity.
PAM360
  • Get context-rich audit logs, out-of-the-box reports, and session recordings of all the activities performed on personal data repositories.
Patch Manager Plus
  • Maintain and view a record of all processing activities carried out.
ADManager Plus
  • Get a complete audit trail of all the activities related to personal data.
Endpoint Central
  • Maintain a record of all processing activities as mandated by the GDPR.
Endpoint DLP Plus
  • Audit sensitive data and the policies applied to it to safeguard it from disclosure.

Article 32

Security of processing

Article 32(1)(a)

Ensure the confidentiality of all processing systems and encrypt personal data by implementing appropriate measures.

ManageEngine solutions to help you comply:

Key Manager Plus
  • Secure data in transit, and easily monitor and manage your public key infrastructure.
Endpoint Central
  • Encrypt personal data stored on mobile devices.

Article 32(1)(b)

Ensure the availability, confidentiality, and integrity of processing systems and services.

ManageEngine solutions to help you comply:

Key Manager Plus
  • Protect and encrypt access to your data subjects' PII.
DataSecurity Plus
  • Continuously monitor and audit the storage systems that store personal data.
Log360
  • Detect unauthorized access attempts and anomalies in user activities on systems and services.
ADAudit Plus
  • Audit and send out real-time alerts when any changes to critical resources occur.
  • Detect unauthorized access attempts and anomalies in user activities on systems and services.
PAM360
  • Enable authorized users to connect to critical remote resources without password exposure securely.
Vulnerability Manager Plus
  • Detect systems without BitLocker encryption, and encrypt entire disk volumes.
Endpoint DLP Plus
  • Limit the exposure of confidential data by restricting access to only relevant personnel based on their security clearance.

Article 32(1)(d)

Implement preventive mechanisms for risks associated with data processing such as loss, alteration, deletion, and disclosure of personal data.

ManageEngine solutions to help you comply:

Endpoint Central
  • Periodically check if your organization's devices are still compliant.
Password Manager Pro
  • Prevent attackers from exploiting privileged access to collected personal data.
Log360
  • Secure processing by watching out for any anomalies that could turn out to be a potential data breach.
EventLog Analyzer
  • Audit all activity on systems that store personal data and changes to personal data itself.
PAM360
  • Monitor and audit privileged activities on critical systems, and terminate anomalous sessions.
Vulnerability Manager Plus
  • Monitor misconfigurations in your endpoints and bring them under compliance.
Endpoint DLP Plus
  • Deploy data loss prevention policies to uphold security measures even when offline.

Article 32(2)

Implement preventive mechanisms for risks associated with data processing such as loss, alteration, deletion, and disclosure of personal data.

ManageEngine solutions to help you comply:

Endpoint Central
  • Set alerts in case a device does not check in with the server over a predefined period of time.
Log360
  • Centralize and correlate security data to identify potential data breaches instantly.
  • Audit changes to personal data,e.g., modification, deletion, renaming, or even permission changes.
DataSecurity Plus
  • Monitor the use of USBs and block the movement of personal data to USB devices or via email as an attachment.
  • Reduce incident response times with instant alerts and an automated threat response.
  • Generate alerts and reports on unwarranted accesses or sudden spikes in file accesses and modifications.
  • Maintain a record of all file and folder deletion actions, and uncover and quarantine ransomware infections.
Patch Manager Plus
  • Set alerts in case a device does not check in with the server over a predefined period of time.
Endpoint DLP Plus
  • Configure policies to restrict the movement of sensitive information to peripheral devices.

Article 32(4)

Take steps to ensure that nobody exploits or gains unauthorized or unlawful access to personal data.

ManageEngine solutions to help you comply:

Password Manager Pro
  • Manage, monitor, and audit administrative access to systems and applications that handle PII.
Log360 and ADManager Plus
  • Detect when users access personal data without proper permissions.
PAM360
  • Provision time-bound, just-in-time privileged access to sensitive systems and applications.
Patch Manager Plus
  • Configure role-based access for processing activities through assigned devices.
M365 Manager Plus
  • Establish role-based access control for Microsoft 365 administration.

Article 33

Notification of a personal data breach to the supervisory authority

Article 33

In case of a personal data breach, inform the supervisory authorities within 72 hours. If the notification is made after 72 hours, send the reason for the delay along with it.

ManageEngine solutions to help you comply:

Log360
  • Detect any data breach in your network instantly.
  • Detect and contain attack patterns such as DoS, DDoS, SQL injections, and ransomware attacks.
  • Create custom correlation rules and alert profiles to detect unknown attack patterns.
  • Determine when a breach occurs, its source, the responsible parties, and the impact.
  • Export all forensic information, and construct incident reports.
Password Manager Pro
  • Record privileged account access and sessions.
DataSecurity Plus
  • Analyze the root cause and the scope of a data breach through activity logs.
PAM360
  • Provide tamper-proof privileged session recordings and audit trails of every session.
Endpoint DLP Plus
  • Maintain records of data access and transfer events with details on the user, computer, and medium.

Article 35

Data protection impact assessment

Article 35

Perform a data protection impact assessment and implement security measures to protect the personal data being processed.

ManageEngine solutions to help you comply:

DataSecurity Plus
  • Calculate the risk score of files containing personal data.
  • Identify files that are vulnerable due to permission hygiene issues.

Get guidance on GDPR compliance

Talk to our experts to get more information on how your organization
can meet the GDPR compliance mandate.

Name* Please enter the name
Email address*
Phone number* Please enter your phone number
Country*

By clicking ‘Submit’, you agree to processing of personal data according to the Privacy Policy.

Disclaimer

Disclaimer: Fully complying with the GDPR requires a variety of solutions, processes, people, and technologies. The solutions mentioned above are some of the ways in which IT management tools can help with some of the GDPR’s requirements. Together with other appropriate solutions, processes, and people, ManageEngine’s solutions help achieve and sustain GDPR compliance. This material is provided for informational purposes only and should not be considered as legal advice for GDPR compliance. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.