??? pgHead ???

What is GDPR?

The General Data Protection Regulation (GDPR) stands as a paramount piece of data protection legislation that holds organizations to stringent standards with hefty penalties for non-compliance. The GDPR, enacted by the EU in May 2018, mandates a robust framework dictating how organizations collect, handle, and store personal data. This extends to safeguarding personal data against any potential data breaches, including damage, destruction, unlawful processing, or accidental loss. The GDPR places a significant emphasis on empowering EU citizens to exert control over the usage and purpose of their personal data, striving to standardize data privacy regulations across the EU.

The GDPR protects personal data, which not only encompasses traditional identifiers like names, addresses, and identification numbers. This also includes digital identifiers such as IP addresses, email addresses, and biological identifiers like genetic, biometric, and health-related information. By embracing GDPR's principles, organizations can foster trust and respect for individuals' privacy rights in an increasingly data-centric landscape.

To whom does GDPR apply?

It's imperative to understand that adherence to the GDPR isn't only relevant for organizations within the EU. Every organization dealing with data from individuals in the EU or European Economic Area (EEA) must follow the GDPR, no matter where they're located. This includes businesses, nonprofit organizations, government agencies, and any other entity that handle personal data of EU/EEA residents.

For example, let's consider a multi-national company headquartered in the United States that offers its services to customers who are EU citizens. As a part of their business, they might be required to store and process the personal data of EU citizens. In this case, even though the company is not physically located in the EU, it must comply with the GDPR regulations.

GDPR requirements

Figure 1: GDPR requirements

GDPR requirements explained

Over 75% of the regulatory mandate focuses on directing how organizations gather personal data and safeguarding the rights of data subjects. The remaining 25% pertains to the security regulations for processing, which necessitates the involvement of security professionals.

To comply with the GDPR, organizations must fulfill a range of requirements aimed at safeguarding the privacy and rights of individuals. Here's an overview of the GDPR requirements:

Chapter 1 (Article 1-4): General provisions

This chapter establishes the scope and applicability of the regulation. It outlines general provisions, including who is liable to comply with this law. Additionally, Article 4 provides definitions crucial for interpreting the regulation, clarifying terms such as personal data, processing, controller, processor, and consent.

Learn more  

Chapter 2 (Article 5-11): Principles

Chapter 3 (Article 12-23): Rights of the data subject

Chapter 4 (Article 24-43): Controller and processor

Chapter 5 (Article 44-50): Transfers of personal data across international borders

Chapter 6 (Article 51–59): Independent supervisory authorities

Chapter 7 (Article 60–76): Cooperation and consistency

Chapter 8 (Article 77–84): Remedies, liability, and penalties

Chapter 9 (Article 85–91): Provisions relating to specific processing situations

Chapter 10 (Article 92–93): Delegated acts and implementing acts

Chapter 11 (Article 94–99): Final provisions

Resources

Blog

Spotify's costly mistake: The GDPR violation and the path to compliance

Learn more  
Webinar

Comply with the GDPR: Detecting and responding to personal data breaches

Learn more  
Handbook

All you need to know and do to comply with the EU General Data Protection Regulation

Learn more  
Guide

A Security Admin's Survival Guide to the GDPR

Learn more  
Solution brief

A solution book for IT security admins to meet GDPR requirements

Learn more  
Feature page

Easily meet GDPR compliance using EventLog Analyzer

Learn more  

How to be GDPR compliant?

This section explains the GDPR's requirements concerning the security measures that organizations should adopt while handling personal data. It also illustrates how ManageEngine's SIEM solution, Log360, can help organizations meet these requirements and be compliant with the GDPR.

Chapter 2 - Principles

GDPR Article 5 (1B): Collect and monitor personal data access

GDPR Article 5 (1D): Maintaining data accuracy

GDPR Article 5 (1F): Ensuring integrity and confidentiality of personal data

Chapter 3 - Rights of the data subject

GDPR Article 15(1): Providing access to personal data

GDPR Article 17: Right to erasure

Chapter 4 - Controller and processor

GDPR Article 24(1): Responsibility of the controller

GDPR Article 25(2): Building privacy into processes

GDPR Article 32 (1B): Safeguarding processing systems and services

GDPR Article 32 (1D): Security of processing

GDPR Article 32 (2): Ensuring security in data processing

GDPR Article 33: Notification of data breach

GDPR Article 35: Conducting Data Protection Impact Assessments (DPIA)

Chapter 5: Transfers of personal data to international borders

To comply with GDPR requirements regarding international data transfers, organizations should first review their current and future business operations. They need to meticulously identify all instances where personal data is transferred outside the EEA. For these transfers, organizations must ensure the implementation of a data transfer mechanism that adheres to GDPR standards. This involves assessing the adequacy of data protection measures in the destination country and establishing appropriate safeguards such as binding corporate rules or standard contractual clauses.

Chapter 6: Understanding the role of supervisory authorities

Organizations should first ensure they understand the role and authority of supervisory authorities (SAs) within their member state. They should cooperate fully with supervisory authorities (SAs) and provide necessary information upon request. Additionally, they should align their data processing practices with GDPR requirements and be prepared to respond promptly to any complaints or investigations initiated by supervisory authorities.

Chapter 7: Cooperation and consistency

Organizations should prioritize collaboration with SAs and adhere to the mechanisms outlined in Articles 60 to 76. They must ensure open and transparent sharing of information with lead supervisory authorities and other relevant SAs, actively participating in joint operations where necessary.

Chapter 8: Remedies, liability, and penalties

Organizations must prioritize transparency, accountability, and responsiveness in their data processing practices. They should implement the impact assessments to identify potential risks of GDPR infringement. They must establish comprehensive policies and processes to address all privacy requirements, including security measures, complaints handling procedures, data accuracy protocols, and breach reporting mechanisms. It's crucial to update existing policies drafted with reference to previous directives and ensure alignment with the GDPR regulations. Regular monitoring and updating of policies and procedures will help maintain ongoing compliance with the GDPR requirements.

Chapter 9: Provisions relating to specific processing situations

Organizations should adhere to member state regulations regarding the processing of national identification numbers, data processing in the context of employment, and processing for archiving, research, or statistical purposes. It's crucial to implement appropriate safeguards and derogations as per Article 89, ensuring anonymization or other protective measures where necessary.

Chapter 10: Delegated acts and implementing acts

Organizations should stay informed about any delegated acts or implementing acts passed by the European Commission that may affect their operations. They must monitor updates and changes to the law to ensure compliance with any new regulations or procedures established through delegated acts.

Chapter 11: Final provisions

Organizations should ensure they understand the relationship between the GDPR and repealed or existing EU laws. They should also ensure they understand the relationship between the GDPR and repealed or existing EU laws. They must acknowledge that Directive 95/46/EC has been replaced by the GDPR.

GDPR compliance checklist

With over ninety articles, complying with the GDPR is a laborious process. Here's a checklist that will assist you with the compliance process.

  • Understand GDPR requirements: Familiarize yourself with the GDPR regulations and what they mean for your organization.
  • Data audit: Conduct a thorough audit of the personal data you collect, store, and process.
  • Data minimization: Only collect and process the data necessary for the intended purpose.
  • Consent management: Obtain explicit consent for data processing activities like collection, retention, and erasure. Ensure it is freely given, specific, informed, and unambiguous.
  • DPIAs : Conduct DPIAs (Article 35) for high-risk processing activities.
  • Data transfer mechanisms: Implement appropriate safeguards for transferring personal data outside the EU/EEA.
  • Data p rotection o fficer (DPO): Appoint a DPO if required by your organization's size (more than 250 employees) or processing activities.
  • Records of processing activities: Maintain records of your data processing activities if your organization has at least 250 employees or takes part in high-risk data processing as required by the GDPR.
  • Regular compliance audits: Conduct regular audits to ensure ongoing compliance with GDPR requirements.
  • Cross-border transfer laws: If transferring personal data to non-EU countries, comply with stringent requirements stated in GDPR Article 45. The organization might need certification under the Privacy Shield Framework.
  • EU representative: Non-EU organizations need to appoint a representative based in one of the EU member states.
  • Privacy impact assessment (PIA): Conducting a PIA to identify potential risks involved with personal data processing and devising strategies to mitigate them is a crucial action. This step entails assessing the processing impact on individuals and identifying risk-minimizing measures.
  • Data breach response plan : Develop a data breach response plan (Article 33 and 34), including procedures for detecting, reporting, and responding to breaches within the required timeframe (within 72 hours of discovery).
  • Implement robust security measures: Ensure data protection by identifying vulnerabilities and risks through comprehensive risk assessments. Utilize encryption or pseudonymisation (Article 6) and access controls to safeguard personal data, regularly update systems, and train employees on security protocols.
  • Implement an incident management system to assess and analyze the impacts of data breaches: Establish an incident management system with defined roles and responsibilities for assessing and responding to breaches. Develop a communication plan for notifying relevant parties and conduct thorough investigations to document findings and implement corrective actions.

Use cases

Want to learn how to leverage Log360 for File integrity monitoring?

Learn more  

How do you ensure data integrity and compliance with Log360?

Learn more  

Non-compliance implication

Non-compliance with the GDPR can have significant implications for organizations, including hefty fines and reputational damage. The GDPR fines are categorized into two tiers based on the severity of the violations:

  • Tier 1 fines are imposed for less severe breaches and can amount to a maximum of €10 million or 2% of the violating company’s global annual revenue (Article 83(4)) from the previous year, whichever is higher. These violations typically involve controllers, processors, and oversight bodies responsible for GDPR assessments and complaints handling.
  • Tier 2 fines are for more serious infringements related to privacy rights and consent, and can reach up to €20 million or 4% of the violating company’s global annual revenue (Article 83(5)) from the previous year, whichever is higher. These violations focus on ensuring lawful, accurate, and secure data processing, including compliance with laws regarding consent and transparency.

For example, Meta, formerly known as Facebook, was fined €1.3 billion by the Irish Data Protection Commission (DPC) for GDPR violations related to data protection. Another instance involved WhatsApp, which was fined €225 million by the Irish Data Protection Commission for lack of transparency regarding its user data processing practices.

Overall, non-compliance with the GDPR can have far-reaching consequences for organizations, including financial penalties, loss of trust, impacts business, legal challenges, and regulatory scrutiny. Therefore, it is essential for companies to prioritize GDPR compliance and ensure they have robust data protection measures in place to safeguard personal data and avoid potential repercussions.

Disclaimer: This guide has been created using information provided by official GDPR documents.

ManageEngine solutions

About Log360

Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects, prioritizes, investigates and responds to security threats. Vigil IQ, the solution's TDIR module, combines threat intelligence, an analytical Incident Workbench, ML-based anomaly detection and rule-based attack detection techniques to detect sophisticated attacks, and it offers an incident management console for effectively remediating detected threats. Log360 provides holistic security visibility across on-premises, cloud and hybrid networks with its intuitive and advanced security analytics and monitoring capabilities.

Try us out for 30 days

About AD360

ManageEngine AD360 is a unified identity and access management (IAM) solution that helps manage identities, secure access, and ensure compliance. It comes with powerful capabilities like automated identity life cycle management, access certification, risk assessment, secure single sign-on, adaptive MFA, approval-based workflows, UBA-driven identity threat protection and historical audit reports of AD, Exchange Server and Microsoft 365. AD360's intuitive interface and powerful capabilities make it the ideal solution for your IAM needs, including fostering a Zero Trust environment.

Try us out for 30 days
 
  • What is GDPR
  • To whom does GDPR apply?
  • GDPR requirements explained
  • How to be GDPR compliant?
  • GDPR compliance checklist
  • Non-compliance implication
  • ManageEngine solutions

Take the lead in data protection best practices with our unified SIEM solution!

Back to Top