What is GDPR?
The General Data Protection Regulation (GDPR), approved by the European Union (EU) Parliament in April 2016 and effective since May 2018, is a transformative regulation aiming to protect the personal data of EU citizens. Its intent is twofold:
- Harmonize data privacy laws across EU member states.
- Strengthen individuals' rights with respect to their personal data.
This unified regulation, superseding the Data Protection Directive 95/46/EC, mandates stringent rules on how organizations collect, store, and process personal data. Personal data, under GDPR, must be safeguarded against damage, destruction, unlawful processing, or accidental loss. GDPR's core principle, "Data protection by design," implies that data privacy should be at the forefront of an organization's operations, rather than an afterthought.
Understanding GDPR compliance requires familiarization with the following key definitions:
Who must comply with GDPR?
GDPR compliance has a vast scope, affecting organizations that hold data on EU citizens, irrespective of where the organization or the data resides. It has a broad interpretation of what is classified as personal data which includes names, photos, email addresses, bank details, social media posts, medical information, IP addresses, and more.
The following parties must adhere to GDPR guidelines:
- Organizations within the EU: Any organization, regardless of size or type, operating within the EU must comply with GDPR.
- Organizations outside the EU: If an organization is not based in the EU but deals with the personal data of EU residents, it is subject to GDPR. This could apply when goods or services are offered to EU residents or while monitoring their user behavior.
- Large and small businesses: If the organization employs over 250 personnel, or if the organization employs fewer than 250 but their data processing activities can impact the rights and freedoms of EU data subjects.
Consequences of GDPR non-compliance
The GDPR governs all EU nations, but its implementation lies with each respective member state. Typically, organizations breaching GDPR compliance are penalized by the country of their establishment, or in the case of non-EU firms, the nation where their EU delegate resides. The European Data Protection Board (EDPB) aids these states in enforcing GDPR, guaranteeing the consistent application of data privacy norms throughout the EU.
Understanding the consequences of non-compliance with the GDPR is crucial for organizations of all sizes and sectors. Non-compliance can result in severe financial penalties, loss of reputation, and potential business disruption.
The GDPR imposes a two-tiered structure for fines that can be levied on organizations for non-compliance:
- Lower tier fines: Non-compliance may warrant a fine of up to €10 million or 2% of the company's global annual revenue, whichever is higher. These are typically applied to organizations that fail to establish proper data protection policies, do not cooperate with data regulators, have not appointed data protection officers, or do not promptly inform data subjects when their data has been compromised.
- Higher tier fines: Harsher violations may be penalized with a fine of up to €20 million or 4% of the company's global annual revenue, whichever is higher. These are given to companies that commit serious violations, such as breaching the data and privacy rights of EU data subjects, not following the principles of data protection, or ignoring demands and requests of data regulators.
However, these fines are discretionary and take into account multiple factors including but not limited to:
- Gravity and nature: This involves the scale of the violation, including the number of data subjects harmed, the extent of their harm, and the duration of the violation.
- Intention: To determine whether the violation was intentional or accidental.
- History: Past infringements, adherence with prior corrective recommendations, and violations of data protection laws outside the EU.
- Data category: Pertains to the types of personal and sensitive data involved.
- Aggravating and mitigating factors: Financial gains earned or losses saved due to the violation, among other factors. Notification: Timeliness and sufficiency of breach notification to the supervisory authority and affected data subjects.
GDPR requirements for compliance
Organizations in the digital landscape must understand and comply with GDPR requirements to maintain security and compliance. Each chapter of the GDPR has specific requirements that organizations need to follow.
- Chapter 1 (Articles 1–4): General provisions This chapter sets the groundwork for the GDPR, defining its objectives and applicability. It presents the scope of the GDPR within and beyond the EU, outlines the rules for processing personal data, and explains certain exemptions. It provides definitions for terms like "personal data," "processing," "controller," "processor," and "consent," establishing a language to further discussions on data protection.
- Chapter 2 (Art. 5–11): Principles This chapter of the GDPR elaborates on principles for processing personal data. It discusses lawful bases for processing, rules for obtaining consent, and conditions for children's consent in relation to information society services. It also addresses the processing of sensitive and criminal data, as well as situations where identification isn't necessary.
- Chapter 3 (Art. 12–23): Rights of the data subject This chapter of the GDPR clarifies the fundamental rights of data subjects, including rights to access, rectification, erasure, processing restriction, data portability, objection to processing, and rejection of automated decisions. All of which are crucial for both organizations and users.
- Chapter 4 (Art. 24–43): Controller and processor This chapter sets forth the responsibilities of data controllers and processors. It emphasizes maintaining data protection, designates the role of the DPO, establishes the protocol for data breaches, discusses the importance of impact assessments, and advocates for the establishment of codes of conduct and certifications.
- Chapter 5 (Art. 44–50): Transfers of personal data to third countries or international organizations This chapter governs the transfer of personal data to third countries (a non-EU country or territory where its citizens do not have the right to freely move within the European Union, as stated in the Schengen Borders Code) or international organizations. It mandates pre-transfer approval, ensures adequate data protection laws are in place, prescribes methods for handling international data-related legal disputes, setting of strict data handling rules for non-EU entities, and cooperation with nations outside the EU.
- Chapter 6 (Art. 51–59): Independent supervisory authorities This chapter details the structure and functions of independent supervisory authorities. It includes provisions on their establishment, independence, member qualifications, and professional secrecy. It also demarcates their competence, tasks like enforcing the GDPR and processing complaints, powers, and the need to provide annual activity reports.
- Chapter 7 (Art. 60–76): Cooperation and consistency This chapter underlines the principles of cooperation and consistency among supervisory authorities for GDPR enforcement. It provides guidelines for cooperation processes, dispute resolution mechanisms, and urgency procedures. Additionally, this chapter also establishes the EDPB, its independence, responsibilities, annual reporting, procedural norms, and confidentiality rules.
- Chapter 8 (Art. 77–84): Remedies, liability, and penalties This chapter outlines the legal remedies, liabilities, and penalties under the GDPR. This includes data subjects' rights to lodge complaints, the framework for judicial remedies, and regulations for representation. It also details the conditions for suspending proceedings, compensation eligibility, guidelines for administrative fines, and the potential for additional penalties by member states.
- Chapter 9 (Art. 85–91): Provisions relating to specific processing situations This chapter focuses on data processing scenarios such as journalistic freedom, government document handling, national ID processing, employment data, public archives, intelligence agency protocols, and religious institution exemptions, with space for individual member state laws.
- Chapter 10 (Art. 92–93): Delegated acts and implementing acts This chapter outlines the European Commission's rights to adopt delegated acts and form a committee to facilitate GDPR implementation, both these powers being subject to parliamentary and council oversight.
- Chapter 11 (Art. 94–99): Final provisions This final chapter initiates the GDPR enforcement phase. It covers the repeal of Directive 95/46/EC, clarifies GDPR's relationship with other existing regulations, and the validity of prior international agreements. It also sets a four-year cycle for commission reports to keep regulations current with technological evolution. Organizations can effectively navigate the complex landscape of data protection and privacy by adhering to the guidelines provided in each chapter. This will in turn help with establishing a robust data protection practice and building trust with customers while avoiding penalties and legal consequences.
- Understanding GDPR and DPO appointment: Understand the GDPR principles and key concepts such as lawful, fair, and transparent processing, personal data rights, and privacy by design and privacy by default. If an organization processes special categories of data, conducts regular and systematic large-scale monitoring, or processes large volumes of personal data, designating a DPO for overseeing GDPR compliance is required.
- Personal data inventory: Performing an inventory to determine the personal data an organization collects, processes, and stores, the lawful basis for processing, and how this data is transferred within and outside the organization is required.
- Privacy impact assessment (PIA): Conducting a PIA to identify potential risks involved with personal data processing and devising strategies to mitigate them is a crucial action. This step entails assessing the processing impact on individuals and identifying risk-minimizing measures.
- Data minimization policy and technical measures: Establishing a data minimization policy and outlining data retention periods strengthen the path to achieving GDPR compliance. Implement technical measures that consider the risk level required to safeguard personal data, including strategies to avert unauthorized access, accidental loss, or data destruction.
- Consent and data subject rights: Obtaining explicit and unambiguous consent prior to processing personal data is the next step of the process, although it is important to note that consent is only one of several lawful bases for processing. Facilitating consent withdrawal at any point is equally important. Organizations can additionally implement mechanisms to comply with GDPR's individual rights, such as access, rectification, erasure, and processing restriction.
- Processing operations register: Maintaining a register of processing operations for all data processing activities is essential for compliance with GDPR Article 30. This step mainly applies to organizations with over 250 employees.
- Monitoring, auditing, and breach notification: The core processes for maintaining compliance with GDPR involve conducting periodic audits to identify areas of non-compliance, and implementing remedial actions.
Organizations must maintain an accessible breach register. In case of a data breach, a relevant supervisory authority has to be notified within 72 hours of becoming aware and affected individuals need to be informed where necessary. Compliance certification under GDPR (Article 42) can be obtained from a competent supervisory authority or accredited certification bodies.
GDPR best practices: A checklist
By adopting these best practices, organizations can meet GDPR compliance requirements and strengthen their cybersecurity defenses.
- Data breach response plan: Establishing a robust plan to effectively respond to potential data breaches is crucial. This plan should outline clear protocols and responsibilities for employees in the event of a data breach, ensuring quick and coordinated action to mitigate the impact and protect sensitive information. (Ref: Articles 33 and 34).
- Data protection impact assessment (DPIA): The execution of a Data Protection Impact Assessment (DPIA) facilitates the identification of risks linked to data security and privacy. To mitigate these risks, it is recommended to implement data security practices, such as end-to-end encryption and organizational safeguards.
- Data processing agreements (DPAs): In order to maintain the GDPR compliance of vendors, data controllers are advised to establish DPAs with all third-party providers involved in the processing of personal data. This ensures that personal data is handled appropriately.
- Information audit for EU personal data: Determine if the organization handles personal data belonging to EU citizens. If the data processing activities involve people from this region, the organization will fall under the GDPR.
- Cross-border transfer laws: If transferring personal data to non-EU countries, comply with stringent requirements stated in GDPR Article 45. The organization might need certification under the Privacy Shield Framework.
- EU representative: Non-EU organizations need to appoint a representative based in one of the EU member states.
- Compliance training: Training employees on GDPR compliance requirements and practices is essential.
GDPR: Key rules to consider
|GDPR ARTICLE 5(1B)
|"[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)."
|GDPR ARTICLE 5(1D)
|"[Personal data shall be] accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)."
|GDPR ARTICLE 5(1F)
|"[Personal data shall be] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)."
|GDPR ARTICLE 25(2, line 3)
|"In particular, such measures shall ensure that by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."
|GDPR ARTICLE 32(1B)
|"[T]he ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services."
|GDPR ARTICLE 32(1D)
|"[A] process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing."
|GDPR ARTICLE 32(2)
|"In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed."
The GDPR has ushered in a new era of data protection, securing the rights of individuals to control their personal information. Being more than just a set of stringent rules, it represents a shift towards a “data protection by design” approach, embedding privacy within every facet of an organization's operations.
Since its enactment in 2018, GDPR has shown promising results in reducing data breaches within the EU, marking its effectiveness. Despite this, many organizations are still on the journey towards achieving complete compliance. Whether it is an organization operating in the EU or a website handling EU visitors' data, compliance with GDPR is not only mandatory but also a trust signal to one’s customers. Lastly, it is important to note that this is not a one-time process, but a continuous commitment to protect customer data.
Comply with GDPR with EventLog Analyzer
ManageEngine EventLog Analyzer enables GDPR compliance through meticulous log management, auditing, and IT compliance management. It leaves no log unturned, collecting and analyzing log data from various sources, enabling organizations to safeguard against unlawful data processing, loss, or damage.
EventLog Analyzer's security event management capabilities are significant for GDPR compliance. The tool analyzes insights from security events across networks, providing robust threat response techniques. Application log analysis features can detect data theft and track potential breaches, and server log management helps monitor servers for critical changes, enhancing data security.
Another GDPR compliance facilitator is EventLog Analyzer's file integrity monitoring feature. It tracks real-time changes to files or folders containing confidential data, ensuring data integrity, which is a core GDPR requirement. The event correlation engine and augmented threat intelligence features detect potential security threats, helping to mitigate risks to personal data.
Finally, the integrated compliance management feature simplifies GDPR auditing. Predefined GDPR report templates and log archival ensure that organizations can meet GDPR's stringent reporting and record-keeping requirements. With EventLog Analyzer, organizations can comfortably navigate the GDPR compliance landscape, protecting personal data and enhancing cybersecurity.