Take the lead in data protection best practices with our unified SIEM solution!
What is GDPR?
The General Data Protection Regulation (GDPR) stands as a paramount piece of data protection legislation that holds organizations to stringent standards with hefty penalties for non-compliance. The GDPR, enacted by the EU in May 2018, mandates a robust framework dictating how organizations collect, handle, and store personal data. This extends to safeguarding personal data against any potential data breaches, including damage, destruction, unlawful processing, or accidental loss. The GDPR places a significant emphasis on empowering EU citizens to exert control over the usage and purpose of their personal data, striving to standardize data privacy regulations across the EU.
The GDPR protects personal data, which not only encompasses traditional identifiers like names, addresses, and identification numbers. This also includes digital identifiers such as IP addresses, email addresses, and biological identifiers like genetic, biometric, and health-related information. By embracing GDPR's principles, organizations can foster trust and respect for individuals' privacy rights in an increasingly data-centric landscape.
To whom does GDPR apply?
It's imperative to understand that adherence to the GDPR isn't only relevant for organizations within the EU. Every organization dealing with data from individuals in the EU or European Economic Area (EEA) must follow the GDPR, no matter where they're located. This includes businesses, nonprofit organizations, government agencies, and any other entity that handle personal data of EU/EEA residents.
For example, let's consider a multi-national company headquartered in the United States that offers its services to customers who are EU citizens. As a part of their business, they might be required to store and process the personal data of EU citizens. In this case, even though the company is not physically located in the EU, it must comply with the GDPR regulations.
GDPR requirements explained
Over 75% of the regulatory mandate focuses on directing how organizations gather personal data and safeguarding the rights of data subjects. The remaining 25% pertains to the security regulations for processing, which necessitates the involvement of security professionals.
To comply with the GDPR, organizations must fulfill a range of requirements aimed at safeguarding the privacy and rights of individuals. Here's an overview of the GDPR requirements:
Chapter 1 (Article 1-4): General provisions
This chapter establishes the scope and applicability of the regulation. It outlines general provisions, including who is liable to comply with this law. Additionally, Article 4 provides definitions crucial for interpreting the regulation, clarifying terms such as personal data, processing, controller, processor, and consent.
Learn moreChapter 2 (Article 5-11): Principles
This chapter elaborates on the fundamental principles for personal data processing. Article 5 outlines core principles including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity of personal data processing. Article 6 details lawful processing conditions such as consent and contractual necessity. Articles 7-11 elaborate on various aspects of personal data processing and individuals' rights.
Chapter 3 (Article 12-23): Rights of the data subject
This chapter outlines data subjects' rights. Article 12 illustrates the ways of exercising the rights of the data subject, and methods of establishing a clear and transparent communication. It also includes providing information about their rights under the GDPR. Articles 13 and 14 instructs businesses on specific details such as the controller identity and process purpose that they must provide during data collection. Articles 15 to 22 explain data subjects' rights, including data access, rectification, erase data, processing restriction, objection, and data portability.
Chapter 4 (Article 24-43): Controller and processor
Chapter 4 explains the duties of data controllers and processors. It mandates controllers to implement appropriate measures ensuring GDPR compliance and data protection principles. Articles 33 and 34 require controllers to report data breaches to supervisory authorities promptly and communicate breaches to the affected data subjects.
Chapter 5 (Article 44-50): Transfers of personal data across international borders
This chapter outlines the regulations regarding the transfer of personal data across international countries (Articles 44–50). This chapter elaborates the general principles to be followed while transferring data from the EU, corporate rules associated with such transfers, and talks about the international cooperation among supervisory authorities to promote consistency in data protection practices.
Chapter 6 (Article 51–59): Independent supervisory authorities
Chapter 6 of the GDPR (Articles 51–59) elaborates about independent supervisory authorities tasked with enforcing GDPR compliance. Each EU member state appoints these authorities to monitor the enforcement of the GDPR within their jurisdiction. These authorities serve as the primary guardians of data privacy and security within their respective jurisdictions, aiming to safeguard individuals' rights and promote fair and lawful data processing practices.
Chapter 7 (Article 60–76): Cooperation and consistency
Chapter 7 of the GDPR (Articles 60–76) explains the role, tasks, and powers of supervisory authorities in the EU. It outlines the competency of supervisory authorities, exchanging information and coordinating activities to enforce GDPR effectively. This chapter also emphasizes the importance of consistency in the application of GDPR requirements to ensure coherent decisions among supervisory authorities.
Chapter 8 (Article 77–84): Remedies, liability, and penalties
Chapter 8 of the GDPR elaborates how to lodge complaints to the supervisory authorities and seek judicial remedies against controllers or processors. Conditions for suspension of proceedings and the right to compensation for damages caused by breaches are outlined. Supervisory authorities are responsible for imposing fines proportionate to the severity of the breach, with different maximum fines for lesser and more serious infringements.
Chapter 9 (Article 85–91): Provisions relating to specific processing situations
Chapter 9 of the GDPR, spanning Articles 85–91, addresses areas where specific rules or exemptions may be necessary due to the nature of the processing activity or its societal impact. Additionally, it addresses safeguards for archiving and research purposes, confidentiality obligations, and data protection rules for religious institutions.
Chapter 10 (Article 92–93): Delegated acts and implementing acts
Chapter 10, comprising Articles 92 and 93, pertains to procedural matters related to delegated acts and implementing acts.
Chapter 11 (Article 94–99): Final provisions
Chapter 11 contains final provisions regarding the regulation's implementation and enforcement. It includes the repeal of a previous data processing directive (Article 94), clarifies the relationship with existing electronic communications rules (Article 95), and ensures the continuity of international data transfer agreements.
Resources
All you need to know and do to comply with the EU General Data Protection Regulation
Learn moreHow to be GDPR compliant?
This section explains the GDPR's requirements concerning the security measures that organizations should adopt while handling personal data. It also illustrates how ManageEngine's SIEM solution, Log360, can help organizations meet these requirements and be compliant with the GDPR.
Chapter 2 - Principles
GDPR Article 5 (1B): Collect and monitor personal data access
Collect personal data for specific, clear purposes, ensuring transparency, and avoiding further processing incompatible with the original intentions, all while complying with legal and fair principles. If further processing is undertaken for public interest, scientific research, or statistical purposes, it must comply with Article 89(1). Organizations can comply with this requirement stating the purpose of data collection clearly in online forms and getting an explicit consent from the data subject.
Meet this requirement with ManageEngine
ManageEngine Log360 monitors critical changes in databases and provides instant alerts for anomalous activities such as unauthorized selection, creation, alteration, or deletion of personal data. Any deviations from the established patterns can be flagged for further investigation, ensuring that data is not being processed in a manner incompatible with its stated purpose. With prepackaged alert profiles, Log360 can generate instant email or SMS notifications whenever there's suspicious activity.
GDPR Article 5 (1D): Maintaining data accuracy
It mandates maintaining accurate and up-to-date personal data, correcting inaccuracies promptly, and ensuring the reliability and correctness of information held about individuals. Organizations must establish robust systems to maintain the accuracy by updating the data and employ tools or software to identify any inaccuracies. They should also gain insights into their data storage practices, including implementing systems that track the duration of data storage. This enables timely deletion of data once the designated storage period is reached.
Meet this requirement with ManageEngine
Through real-time monitoring, ManageEngine Log360 alerts administrators to any tampering with data, promoting accuracy. Additionally, Log360 helps to conduct database audits to determine the duration of data storage, enabling the deletion of personal data once the storage threshold is met, thereby ensuring compliance with the requirement to keep data accurate and up-to-date.
GDPR Article 5 (1F): Ensuring integrity and confidentiality of personal data
It requires implementing security measures to protect personal data, including encryption and regular testing, ensuring confidentiality, integrity, and availability of data, and adhering to approved codes of conduct or certification mechanisms. Organizations must adopt technical measures to safeguard personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. This involves implementing data encryption techniques, backup systems, and other appropriate security measures.
Meet this requirement with ManageEngine
Through predefined alert profiles, ManageEngine Log360 promptly notifies administrators of unauthorized access, modifications, or deletions of data, safeguarding its integrity. It also provides detailed information on unauthorized changes, facilitating incident reporting as necessary. Further, Log360 offers audit reports on data machine language (DML) and data definition language (DDL) operations performed on SQL and Oracle databases to ensure that the processing of personal data stored in these databases is legitimate.
ManageEngine AD360 provides comprehensive auditing capabilities, allowing organizations to monitor and track changes to their AD environment in real-time. This includes changes to user permissions, group memberships, and other security-related configurations, helping to ensure the integrity of personal data. AD360's MFA help to secure access of data by establishing a centralized and unified IAM platform. By doing this, organizations ensure that only users with authorized access can gain control over certain resources.
Chapter 3 - Rights of the data subject
GDPR Article 15(1): Providing access to personal data
Organizations must ensure that they have systems in place to fulfill data subject requests for access to their personal data. This includes confirming whether personal data is being processed, providing access to the personal data itself, and disclosing specific information such as the purposes of processing, categories of data involved, recipients of the data, and storage duration.
GDPR Article 17: Right to erasure
In this requirement, organizations must promptly delete personal data upon request from data subjects. If the data is no longer needed or if consent is withdrawn, controllers must erase the data. They must also inform other data controllers processing the same data about the erasure request.
Chapter 4 - Controller and processor
GDPR Article 24(1): Responsibility of the controller
Organizations must implement appropriate technical and organizational measures to ensure compliance with the regulation. To comply, controllers should conduct a thorough assessment considering the nature, scope, context, and purposes of data processing, as well as the potential risks to individuals' rights. Based on this assessment, controllers should implement suitable measures and protocols to safeguard personal data effectively.
Meet this requirement with ManageEngine
AD360 provides robust auditing capabilities, allowing organizations to monitor and track changes to their AD environment in real-time. This includes changes to user accounts, group memberships, and security configurations, ensuring accountability and transparency in data processing activities.
GDPR Article 25(2): Building privacy into processes
To comply, organizations should carefully assess the amount of personal data collected, the extent of their processing, the duration of storage, and their accessibility. Organizations should adopt practices such as data minimization, pseudonymization, and encryption to ensure that personal data is not made accessible without individual intervention to an indefinite number of individuals, thereby enhancing privacy and data protection for individuals.
Meet this requirement with ManageEngine
With the help of AD360, organizations can build custom workflow and automate time-consuming, routine AD tasks such as user provisioning and deprovisioning, password resets, creating and modifying AD groups, and permission changes.
GDPR Article 32 (1B): Safeguarding processing systems and services
Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services by implementing appropriate technical and organizational measures, considering the nature, scope, and risks of data processing activities. Organizations must continuously monitor and audit both the storage systems that store the personal data and the services or applications processing the personal data. They should also implement a comprehensive disaster recovery and business continuity plan.
Meet this requirement with ManageEngine
ManageEngine Log360 helps to detect unauthorized access attempts and anomalies in user activities on systems and services where personal data is stored. Specifically, in databases like MS SQL and Oracle, Log360 identifies unauthorized access attempts to database servers and any server containing personal data, ensuring ongoing confidentiality and integrity.
GDPR Article 32 (1D): Security of processing
It requires a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing. This involves routinely checking and verifying the security measures in place to identify any vulnerabilities and ensure they remain effective over time.
Meet this requirement with ManageEngine
ManageEngine Log360 correlates log data from various devices and applications that handle personal data, including firewalls, vulnerability scanners, file servers, databases, Linux/Unix systems, and IBM AS400 systems. Then, it analyzes this data to identify and alert users about any suspicious activities in real-time.
GDPR Article 32 (2): Ensuring security in data processing
Assess the appropriate level of security by considering the risks associated with data processing activities, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. This involves evaluating potential risks to individuals' rights and freedoms posed by processing and tailoring security measures accordingly to mitigate these risks effectively.
Meet this requirement with ManageEngine
With ManageEngine Log360's predefined reports and real-time alerts, organizations can promptly detect unauthorized activities such as database modifications, login failures, and permission changes, thereby enhancing data security and compliance with GDPR requirements. It also provides centralized and correlated security data to identify potential data breaches swiftly.
AD360's SSO enhances security and simplifies access management by allowing users to authenticate once and gain access to multiple applications and systems without the need to repeatedly enter their credentials. By centralizing authentication, SSO can help organizations enforce stronger authentication methods and access controls, reducing the risk of unauthorized access to personal data.
GDPR Article 33: Notification of data breach
It outlines the procedures for notifying supervisory authorities and other relevant parties in the event of a personal data breach. If a breach occurs, the controller must notify the supervisory authority without delay, ideally within 72 hours of becoming aware of it.
Meet this requirement with ManageEngine
ManageEngine Log360, through its real-time alerting console and correlation engine, identifies breaches instantly, detects, and also contains various attack patterns such as DoS, DDoS, SQL injections, and ransomware attacks, which could compromise personal data. Log360 can also help to export all forensic information available, which can also be helpful to construct incident reports.
GDPR Article 35: Conducting Data Protection Impact Assessments (DPIA)
Organizations must conduct a DPIA before processing personal data if the processing involves:
- New technologies or large-scale processing : This includes systematic evaluation of personal aspects (profiling) that affects people or large-scale processing of sensitive data like health information or criminal records.
- Public monitoring: Regular monitoring of public areas on a large scale.
The GDPR also allows supervisory authorities to publish a list of processing activities that always require a DPIA or those that are exempt. The DPIA itself should be a documented assessment that evaluates the processing, its risks to individual privacy rights, and the steps taken to mitigate those risks.
Chapter 5: Transfers of personal data to international borders
To comply with GDPR requirements regarding international data transfers, organizations should first review their current and future business operations. They need to meticulously identify all instances where personal data is transferred outside the EEA. For these transfers, organizations must ensure the implementation of a data transfer mechanism that adheres to GDPR standards. This involves assessing the adequacy of data protection measures in the destination country and establishing appropriate safeguards such as binding corporate rules or standard contractual clauses.
Chapter 6: Understanding the role of supervisory authorities
Organizations should first ensure they understand the role and authority of supervisory authorities (SAs) within their member state. They should cooperate fully with supervisory authorities (SAs) and provide necessary information upon request. Additionally, they should align their data processing practices with GDPR requirements and be prepared to respond promptly to any complaints or investigations initiated by supervisory authorities.
Chapter 7: Cooperation and consistency
Organizations should prioritize collaboration with SAs and adhere to the mechanisms outlined in Articles 60 to 76. They must ensure open and transparent sharing of information with lead supervisory authorities and other relevant SAs, actively participating in joint operations where necessary.
Chapter 8: Remedies, liability, and penalties
Organizations must prioritize transparency, accountability, and responsiveness in their data processing practices. They should implement the impact assessments to identify potential risks of GDPR infringement. They must establish comprehensive policies and processes to address all privacy requirements, including security measures, complaints handling procedures, data accuracy protocols, and breach reporting mechanisms. It's crucial to update existing policies drafted with reference to previous directives and ensure alignment with the GDPR regulations. Regular monitoring and updating of policies and procedures will help maintain ongoing compliance with the GDPR requirements.
Chapter 9: Provisions relating to specific processing situations
Organizations should adhere to member state regulations regarding the processing of national identification numbers, data processing in the context of employment, and processing for archiving, research, or statistical purposes. It's crucial to implement appropriate safeguards and derogations as per Article 89, ensuring anonymization or other protective measures where necessary.
Chapter 10: Delegated acts and implementing acts
Organizations should stay informed about any delegated acts or implementing acts passed by the European Commission that may affect their operations. They must monitor updates and changes to the law to ensure compliance with any new regulations or procedures established through delegated acts.
Chapter 11: Final provisions
Organizations should ensure they understand the relationship between the GDPR and repealed or existing EU laws. They should also ensure they understand the relationship between the GDPR and repealed or existing EU laws. They must acknowledge that Directive 95/46/EC has been replaced by the GDPR.
GDPR compliance checklist
With over ninety articles, complying with the GDPR is a laborious process. Here's a checklist that will assist you with the compliance process.
- Understand GDPR requirements: Familiarize yourself with the GDPR regulations and what they mean for your organization.
- Data audit: Conduct a thorough audit of the personal data you collect, store, and process.
- Data minimization: Only collect and process the data necessary for the intended purpose.
- Consent management: Obtain explicit consent for data processing activities like collection, retention, and erasure. Ensure it is freely given, specific, informed, and unambiguous.
- DPIAs : Conduct DPIAs (Article 35) for high-risk processing activities.
- Data transfer mechanisms: Implement appropriate safeguards for transferring personal data outside the EU/EEA.
- Data p rotection o fficer (DPO): Appoint a DPO if required by your organization's size (more than 250 employees) or processing activities.
- Records of processing activities: Maintain records of your data processing activities if your organization has at least 250 employees or takes part in high-risk data processing as required by the GDPR.
- Regular compliance audits: Conduct regular audits to ensure ongoing compliance with GDPR requirements.
- Cross-border transfer laws: If transferring personal data to non-EU countries, comply with stringent requirements stated in GDPR Article 45. The organization might need certification under the Privacy Shield Framework.
- EU representative: Non-EU organizations need to appoint a representative based in one of the EU member states.
- Privacy impact assessment (PIA): Conducting a PIA to identify potential risks involved with personal data processing and devising strategies to mitigate them is a crucial action. This step entails assessing the processing impact on individuals and identifying risk-minimizing measures.
- Data breach response plan : Develop a data breach response plan (Article 33 and 34), including procedures for detecting, reporting, and responding to breaches within the required timeframe (within 72 hours of discovery).
- Implement robust security measures: Ensure data protection by identifying vulnerabilities and risks through comprehensive risk assessments. Utilize encryption or pseudonymisation (Article 6) and access controls to safeguard personal data, regularly update systems, and train employees on security protocols.
- Implement an incident management system to assess and analyze the impacts of data breaches: Establish an incident management system with defined roles and responsibilities for assessing and responding to breaches. Develop a communication plan for notifying relevant parties and conduct thorough investigations to document findings and implement corrective actions.
Use cases
Non-compliance implication
Non-compliance with the GDPR can have significant implications for organizations, including hefty fines and reputational damage. The GDPR fines are categorized into two tiers based on the severity of the violations:
- Tier 1 fines are imposed for less severe breaches and can amount to a maximum of €10 million or 2% of the violating company’s global annual revenue (Article 83(4)) from the previous year, whichever is higher. These violations typically involve controllers, processors, and oversight bodies responsible for GDPR assessments and complaints handling.
- Tier 2 fines are for more serious infringements related to privacy rights and consent, and can reach up to €20 million or 4% of the violating company’s global annual revenue (Article 83(5)) from the previous year, whichever is higher. These violations focus on ensuring lawful, accurate, and secure data processing, including compliance with laws regarding consent and transparency.
For example, Meta, formerly known as Facebook, was fined €1.3 billion by the Irish Data Protection Commission (DPC) for GDPR violations related to data protection. Another instance involved WhatsApp, which was fined €225 million by the Irish Data Protection Commission for lack of transparency regarding its user data processing practices.
Overall, non-compliance with the GDPR can have far-reaching consequences for organizations, including financial penalties, loss of trust, impacts business, legal challenges, and regulatory scrutiny. Therefore, it is essential for companies to prioritize GDPR compliance and ensure they have robust data protection measures in place to safeguard personal data and avoid potential repercussions.
Disclaimer: This guide has been created using information provided by official GDPR documents.
ManageEngine solutions
About Log360
Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects, prioritizes, investigates and responds to security threats. Vigil IQ, the solution's TDIR module, combines threat intelligence, an analytical Incident Workbench, ML-based anomaly detection and rule-based attack detection techniques to detect sophisticated attacks, and it offers an incident management console for effectively remediating detected threats. Log360 provides holistic security visibility across on-premises, cloud and hybrid networks with its intuitive and advanced security analytics and monitoring capabilities.
Try us out for 30 daysAbout AD360
ManageEngine AD360 is a unified identity and access management (IAM) solution that helps manage identities, secure access, and ensure compliance. It comes with powerful capabilities like automated identity life cycle management, access certification, risk assessment, secure single sign-on, adaptive MFA, approval-based workflows, UBA-driven identity threat protection and historical audit reports of AD, Exchange Server and Microsoft 365. AD360's intuitive interface and powerful capabilities make it the ideal solution for your IAM needs, including fostering a Zero Trust environment. For more information, please visit https://www.manageengine.com/active-directory-360/.
Try us out for 30 days
