Showing results for 
Search instead for 
Did you mean: 
Create Post

GDPR – What is it and how can SolarWinds help?

Product Manager

If your organization is based in the EU, or provide goods or services to the EU, you’ve probably heard a lot about the General Data Protection Regulation (GDPR) compliance lately. In this post, I’d like to educate the THWACK® community on some of the GDPR requirements and how SolarWinds products such as Log & Event Manager (LEM) can assist with GDPR compliance.

Why the need for GDPR?

In December 2015, the EU announced that the GDPR was being implemented in place of the Data Protection Directive (DPD), the current EU data laws. The DPD was first established over 20 years ago, but it has not kept up with the seismic changes in information technology and is no longer sufficient for today’s technologies and threats. The shortcomings of the DPD have become apparent and the EU saw the need to replace it.

The shift from directive to regulation

A defining change which comes with the launch of GDPR is a shift from a directive to a regulation. DPD was a directive, meaning a set of rules issued to member states, but each country can interpret and implement the rules differently. GDPR is a regulation, which requires countries to implement the regulation without any scope for varying interpretations. It removes any ambiguities on organizations’ data protection responsibilities. GDPR paves the way for data privacy as a fundamental right for EU citizens. The implementation deadline for the regulation is May 25, 2018, so organizations are certainly against the clock to implement the necessary policies, procedures, and systems to ensure they are compliant.

What exactly is personal data?

GDPR defines a very broad spectrum of personal data. Personal data is no longer limited to information such as name, email, address, phone number, etc. GDPR also classifies online identifiers such as IP addresses, web cookies, and unique device identifiers such as personal data. Even pseudonymous data is included. This is personal data which has been technically modified in some way, such as hashed or encrypted. Worth noting that the rules are slightly relaxed for data that is pseudonymized, which provides an incentive for organizations to encrypt or hash their data. GDPR defines personal data as “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.” (GDPR Article 9, page 124)

My organization is not based in the EU—why should I care about GDPR?

Although it is an EU regulation, it is not limited to the EU. GDPR will affect organizations on a global scale. The regulation will apply to any organization that offers goods or services to EU citizens. If a company based outside the EU is storing, managing, or processing personal data belonging to EU citizens, they will need to ensure GDPR compliance (GDPR Article 3, page 110). According to a recent PwC study, a staggering 92% of US multinational companies have listed GDPR compliance as data-privacy priority. A significant percentage of those organization plan to spend $1 million or more on GDPR.

Data controllers vs. data processors

Controller – “The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Processor – “A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.”  (Article 4, GDPR page 112)

Under the DPD, data processers had very little responsibilities to company, whereas GDPR places joint responsibility for both data controllers and data processors to comply with the regulation. As an example, if an organization (controller) outsources its payroll to an external payroll company (processor), even though the payroll company is managing and storing data on behalf of the controller, they are now required to comply with GDPR. This will impact controllers and processors alike. Controllers will have to conduct reviews to ensure their processors have a framework in place to comply with GDPR. Processors will have to ensure they are compliant. 

Data breach notification – GDPR Article 33 (page 53)

The Data Protection Directive didn’t require organizations to notify authorities of any data breaches. GDPR defines a personal data breach as the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.” It’s worth remembering that personal data now includes IP addresses, web cookies, unique devices identifiers, and more. The GDPR also now requires organizations (or controllers, as they are known in GDPR) to report data breaches within 72 hours. If this deadline is not met, you will have to explain the reasons for the delay. If you are a data processor, you must report the breach to the controller. The controller then notifies the “supervisory authority.”  Data subjects must also be informed when a breach poses a high risk to their rights and freedoms. However, if the controller had implemented protection measures such as encryption on the data, then the data subject’s rights and freedoms are unlikely to be at risk.

Individual rights

GDPR provides EU citizens with increase personal data rights. Just some of these individual rights include Consent (Article 7) , Right to Erasure (Article 17), and Data Portability (Article 20).

Organizations will require consent when collecting personal data of EU citizens. The type of data and retention period will need to be stated in plain language that citizens can clearly understand. Data controllers will be required to prove that consent has been provided by the subject.

Individuals also have the right to erasure, meaning subjects can request controllers to delete all information about them, provided the controller has no reason to further process the data. There are exceptions if the data is used for legal obligations—for example, financial institutions are legally obliged to retain data for a certain period of time. If a data controller has shared personal data with third parties, the onus is on the controller to inform those third parties of the data subjects request to erase the data.

Data Portability allows data subjects to receive the personal data they provided to a data controller in a structured, “machine-readable” format. This portability facilitates data subjects’ ability to move, copy, or transmit data easily from one service provider to another.

What happens if we don’t comply?

If your organization is not compliant with GDPR, it can receive fines of up to €20 million or 4% of global annual turnover for the preceding financial year (whichever is greater). These penalties apply to both data controllers and processors. (Article 83, section 5)

How can SolarWinds help?

GDPR will likely require organizations to implement new policies, procedures, controls, and technologies—it may even require you to hire a Data Protection Officer, in certain cases. While no single technology can meet all the requirements of GDPR, SolarWinds can certainly assist with some of the requirements.

Article 32: Security of processing

This section of GDPR requires organizations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” SolarWinds® Patch Manager can be used to identify and update missing patches and outdated third-party software on your Windows® servers and workstations. Patch Manager also enables you to inventory your Windows® machines and report on unauthorized software installations on your network.

Article 32 also requires “regular testing the effectiveness of technical measures for ensuring security of the processing.” SolarWinds LEM can be used to validate the controls you have put in place.

Please see here for more information: Article 32

Article 33 and 34: Notification of a personal data breach to the supervisory authority and communication of a personal data breach to the data subject

SolarWinds Risk Intelligence (RI) is a product that performs a scan to discover personally identifiable information across your systems and points out potential vulnerabilities that could lead to a data breach. RI can audit PII data to help ensure it is being stored, in accordance to the requirements of GDPR. The reports from RI can be helpful in providing evidence of due diligence when it comes to the storage and security of PII data.

As mentioned previously, if a personal data breach occurs, the controller must notify the supervisory authority within 72 hours. It is vital that breaches and threats are identified as quickly as possible.

LEM can assist with the detection of potential breaches thanks to features such as correlation rules and Threat Feed Intelligence. LEM’s File Integrity Monitoring and USB Defender® can monitor for any suspicious file activity and also the detect the use of unauthorized USB removable media. If an incident occurs, LEM’s nDepth feature can be leveraged to perform historical analysis. LEM also includes best practice reporting templates to assist with compliance reporting.

Please see here for more information: Article 33 and Article 34

“The implementation deadline for the regulation is May 25, 2018.”

The GDPR deadline is fast approaching. GDPR compliance will require significant effort from both data controllers and processors. There are several steps required to get started with GDPR, which include (but are not limited to) performing an analysis of what personal data your organization stores and where it’s stored, reviewing existing IT security policies and procedures, and ensuring you have the necessary technological and organizational procedures in place to detect, report, and investigate personal data breaches.

I am very interested in hearing opinions and how members of the THWACK community are preparing for GDPR. Please feel free to provide comments below.

To learn about SolarWinds portfolio of IT security software, please see here.


"GDPR will likely require organizations to implement new policies, procedures, controls, and technologies"

I've been in IT for many years and those that do the work - for a long time - have felt like policies and procedures are just "red tape." I've come to realize that we should really look at them as best practices and ways to maintain our course. I'll use a map as an example (for those of you who are younger than me, maps used to be large pieces of paper that were dual purpose - 1) help locating yourself and finding your way somewhere else and 2) providing hours and hours of enjoyable frustration as they were very difficult to re-fold)

Anyway, to use a map you must first locate where you are, identify where you were going (policies) and the intended path (procedures). Along the way it was necessary to periodically check the map for changes along the way (Just heading west may eventually get you from New York to California - but California is a big state and you might not end up where you were expecting and without checking the map you may "feel" that you are heading west but indeed be heading northwest and end up in Canada, or southwest and end up in Mexico.

It's the same way in IT policies set the direction, procedures set the how, controls check to make sure we are on the correct path and technologies facilitate the journey. Embrace them.

Level 12

I am curious to see what kinds of effects this will result in with service based industries such as healthcare. For instance if someone comes into your ER and they are an EU citizen that was visiting your country. Do you now have to comply with all those standards of the GDPR you may not even know of? I would be really curious to see how this would work.

Everyone is going to have to start asking for your nation of citizenship for everything thing you do pretty much.

Visiting New York from the EU and by something from a mom and pop bakery one morning with your credit card? Well now they have to follow the GDPR regulations as well with that data now according to how I have interpreted it. Like they are even going to know what the GDPR is or that it even exists.

Level 8

@JHYNDS will SolarWinds be adding a default set of recommended alerting rules for GDPR like they have for other compliance standards?

Level 16

Wow, I'm going to ask our compliance person what they are doing at my work. We treat patients from all over the world.

It's a sure bet that virtually all companies will be out of compliance to one degree or another after the deadline passes.  Too little attention is paid to compliance until AFTER a problem has surfaced.


When Chip cards became required I was called to the cafeteria to build out a PCI network for their new cash registers - 2 days before the new law was to take effect. I worked with another engineer to pull this off. The next day the vendor arrived with swipe readers in hand. Ofda? "Your bank doesn't support chip readers yet."

Product Manager
Product Manager

This isn't something we are currently working on, but would love to understand the types of GDPR reports & alerts you'd like to see. Will reach out to you offline.

Level 16

I hope to see this happen in the US at some point in the future. I think companies would be less willing to collect and freely share data if they were held accountable for the data they collected.

An in-house PCI audit revealed multiple cafeterias had installed credit card readers and PRI's and modems.  No encryption.  They had been told they couldn't use credit cards on our network because it wasn't PCI compliant, so they went around us and put in a parallel non-PCI-compliant solution.  (heavy sigh of exasperation)

They were shut down and went back to cash, we designed a PCI compliant solution for them, bought new firewalls for it, isolated it completely,  put in a new Multi-Factor Authentication solution and required everyone to install the app on their smartphone, and got them going with credit cards again.  It was fast "for us", but the customers and checkout operators weren't particularly happy until we showed them what PCI violation fines came with their out-of-band network.  They're simply lucky they weren't audited externally.

Suddenly they were grateful for everything we were doing . . .

Level 7

I'm a European customer... a new feature is needed for the SEM compliance with GDPR: the possibility to set a retenction time (i.e. 12 months) and the automatic deletion of events older than the defined retenction time. Is it somehow possible to make a request for this feature? I think it could increase the customer base in the EU...


About the Author
I have been involved in the IT industry for more than 8 years, focusing on IT Audit, Compliance and Information Security. I have held various roles from IT Desktop and Server Support, IT Auditing and Risk Management and Pre-Sales Engineering with SolarWinds.