GDPR – The Change Agent

GDPR has changed how companies handle data loss prevention, in four critical ways. First, in addition to protecting core IP, financial and other sensitive data, companies now have to guarantee protection of the data of its customers and employees too. Second, the protection has to be from both outside intrusion and insider threats. Third, there has to be a fallback mechanism. Businesses will be measured against their ability to handle data breaches and how fast and thoroughly they can respond to such incidents. Finally, as the name implies, GDPR has generalized the data protection rules and made it mandatory and homogeneous across all businesses, big and small. No longer is data protection an optional choice for any organization.

The regulation has already started stirring the pot, so to speak. After just six months of the GDPR enforcement began, 8,000 data breach reports were filed in the UK alone according to privacy watchdogs. Lawsuits are being waged, fines charged. We already heard about the multi-billion dollar lawsuits brought against Google, Facebook, Instagram and WhatsApp on day one of GDPR. And now British Airways and Marriott could face similar lawsuits and large GDPR fines too. That’s the scariest part of GDPR. Failure to meet GDPR compliance may lead to penalties as high as €20M or 4% of total global revenues, whichever is greater. Not to mention, the risk of class action lawsuits, loss of reputation and customer trust are likely outcomes too. One thing is clear, even after all the attention and press coverage, many companies are still not ready for GDPR. One reason being, it’s new, it’s complex and as a result, there’s a sense of ambiguity in people’s mind. Without fully understanding what is required, it’s hard for businesses to find a solution.

Key GDPR Concepts

With its 12 Chapters and 99 Articles, GDPR is a comprehensive, widely scoped legislature. The whole compliance process is a complex undertaking and requires engagement across the entire organization: legal, compliance, marketing, operations/IT, finance, HR to sales. So, it’s imperative that everyone in your organization understands at least the basic concepts of GDPR and what’s expected of them. The table below summarizes the key terminologies and their definitions. To help you sort through the details, we have provided notes regarding the direct operational requirements of each component.

Data subjects and their rightsData subjects are EU citizens who supply their personal data to your organization for some form of business use. This can be your customers, partners, employees even job candidates. A total of eight rights are granted to a data subject. The right to be informed, the right of access, the right to: ratification, erasure, restrict processing, data probability, object and rights in relation to automated decision making/profiling. You can read more about them here.

For an organization, this means, you will need mechanisms in place to uphold these rights. For example, proper consent forms when collecting data, access levels and authentication system to restrict processing etc.

Personal dataPersonal data is information that can be used to identify an individual and must be protected by all means. This can be as simple as a name or a number or a bit more complex data types like IP address, website cookie, genetic data and biometric data, racial origin, sex etc. Caution must be practices for data which might seem unrelated to a person but still could be used to identify them.

Data discovery and classification tools to identify personal data will be crucial. Especially when there’s a large volume of unstructured data involved.

Data collection and processingYou must identify valid grounds for collecting and processing any personal data. This has to pass three litmus tests: lawfulness, fairness and transparency. Data storage and transfer have to meet certain requirements too. For example: you can’t keep the data longer than necessary and provide necessary security during its processing or transfer.

Three principles of Data Loss Prevention (data protection at rest, on the move and on access), encryption and on-the fly content protection will be the key to meeting these requirements.

ControllerController is the one who decides to collect or process the personal data, determines its outcome and gets directly impacted by its use. Most companies or employers will fall in this category.

Strategic plans, data categorization tools, risk analysis, change management and business transformation guides will be essential in setting clear roles for the Controllers.

ProcessorA Processor is someone following instructions from the data controller to collect/process the personal data and doesn’t get benefited directly by its outcome. For example, a third-party agency hired by your marketing department to run customer campaigns might be a Processor.

Third-party vendor management, access control and contractual oversight will be required to make sure the Controller has implemented the right accountability procedures for the Processor(s).

DPOA public body and organizations performing specific processing duties usually involving the general population (i.e. hospitals, the security agency monitoring a mall, a large-head hunting company etc.) need to hire a Data Processing Officer (DPO). S/he is the point person for anything related to the compliance and provides advice regarding Data Protection Impact Assessment (DPIAs).

This is will definitely be a challenging role for anyone. The DPO will need all the tools and help they can get – including monitoring, security, reporting and auditing solutions. 

GDPR PrinciplesSeven key principles are at the heart of the GDPR. They don’t give any hard and fast rules but are designed to embody the spirit of the regime. The principles are: Lawfulness, fairness and transparency, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Integrity and confidentiality and Accountability.

All these imply strong policy implementation around data storage, access on a need to know basis, proper record keeping and cross checks of any data processing involving personal data.

GDPR Solutions: All that Glitters Is Not Gold

GDPR will change the privacy and data protection landscape, globally. EU has the clout (it’s the second largest economy in the world) to carry it though and businesses will have no ways but to oblige.  Support from the general public will also force other countries and jurisdiction to follow suit. For example, California already signed their CCPA in late 2018 which many are saying is a carbon copy of GDPR. Brazil even enacted their own privacy legislation called GDPL recently.

So, it’s not surprising that companies are scrambling to find a solution to comply with these evolving regulations. Software vendors, service providers, consultants all are setting up shops with various offerings to meet the rising demand. Suddenly, everybody is a GDPR expert overnight! Some hastily putting together products that aren’t designed to serve the complex monitoring, auditing and data loss prevention requirements of GDPR. Some have the technology know-how but never dealt with the compliance industry. On the other hand, many solutions are out there to ensure compliance with respect to various systems. However, how they handle, store, secure and transmit data, the human factor in these data driven transactions remains difficult to oversee, mandate and manage.

GDPR Requirements: How Teramind Can Help

Teramind is a leading, global provider of employee and user activity monitoring, user behavior analytics, insider threat detection, forensics and data loss prevention solutions. Our compliance solution was designed from the ground up to cover multiple standards and regulations like GDPR, HIPAA, ISO 27001 (Teramind is ISO 27001 certified), PCI DSS and more since 2014.

Teramind’s comprehensive ‘endpoint’ security solutions such as employee and user activity monitoring, data loss prevention, third-party vendor management and insider threat detection software work together to manage how private data is handled in your organization and provide you with the means to ensure GDPR’s data privacy requirements are met consistently.


Here are some of those key GDPR requirements and how Teramind can help you with each.

1: GDPR accountability framework and general provisions (Article 1-4)

What is requiredHow Teramind can help
●       GDPR is a very comprehensive regulation that will require top-level executive support to be effective.

●       The material scope applies to the processing of personal data wholly or partly by automated means or as part of a filing system.

●       Guides and other useful resources to help you make an informed decision about GDPR.

●       Capture all user data including privileged users and admins.

●       Automatically detect and block unauthorized data processing.

2: Adopting principles processing personal data (Article 5-11)

What is requiredHow Teramind can help
●       There are seven Articles relating to the GDPR principles.

●       Data categorizations is handled in three separate categories: special (i.e. health data), criminal/offense and general (no-identification) category.

●       Though there are no hard and fast rules; exceptions are limited.

●       Ensure processing is necessary and lawful for which a user is requesting access to certain data.

●       Data classification can be set to identify personal data like date of birth, address, genetic information, health etc.

●       Policies and rules can be created using advanced OCR and fingerprinting features to detect and restrict access to personal data automatically.

3: Ensuring the rights of data subject (Article 12-23)

What is requiredHow Teramind can help
●       There are several specific individual rights granted under GDPR around data access, rectification, erasure, restriction, portability and object etc.

●       In some cases, these rights aren’t absolute. For example, right to access can be denied if that access adversely affects the rights and freedoms of others.

Rights of Data Subjects, such as the Right to Access, are normally exercised by individuals. In some cases, Teramind can help with additional verification and automation. For example:

Automatically log accesses to personal data by your staff and produce a detailed list on request.

4: Fulfilling controller and processor obligations (Article 24-43)

What is requiredHow Teramind can help
●       This is the longest chapter of GDPR with 20 articles.

●       It can be broken down into four focus areas:  responsibility (Controllers, Processors, certification bodies etc.), data protection (by design and by default, security, breach reporting, record keeping) and Data Protection Impact Assessments (DPIAs).

●       Teramind can ensure data is processed only in the context it is required to be processed. Additionally, the software can be configured with restricted feature sets allowing for further privacy of its users conforming to the protection by design and by default.

●       Extensive reporting and forensic capability to fulfill the record keeping breach reporting incidents.

●       Support for monitoring the codes of conduct, and security of processing.

5: Provisions relating to specific processing situations (Article 44-50)

What is requiredHow Teramind can help
●       There are some special cases where provisions apply. For example: freedom of expression, public access to official documents, protection rules of churches and religions associations etc.

●       Processing of national identification numbers.

●       Processing for employees.

●       Archiving.

●       Teramind can detect national identification number or any other identifier and then enforce rules to their proper handling.

●       Transparency of processing and monitoring systems at the workplace.

●       Control over how much data is archived and for how long.

GDPR Special Considerations:

Following the GDPR Articles is the best way to achieve the its compliance requirements. But there are some special considerations too that might not be as clear. For example:

Information security management:

Unlike technical standards like PCI DSS, ISO 27001 etc., GDPR does not specifically dictate what information security measures need to be in place. So, what should you do? The solution is to follow Data Loss Prevention best practices and guidelines from other standards that has a strong cyber security component – i.e. PCI DSS, ISO 27001 etc. That’s why it’s important that you select a solution provider like Teramind who has experience developing solutions for technical standards.


How does privacy protection applies to the Cloud services/PaaS/SaaS? Adopting a Cloud solution might actually be beneficial as it will offload many of the compliance requirements to the vendor. Especially, customers opting for Teramind on AWS, will have Amazon’s backing which already has compliance backed in its infrastructure.

Data life-cycle management:

Businesses need to work with third parties and suppliers. Some of these are covered under the GDPR ‘Processor’ requirements.  However, this walled-garden approach might not be enough as the protection now extends beyond your own network. How do you handle data exfiltration when you have no control over the third parties? This is why you need a dedicated third-party management system which Teramind offers.

Cross border data:

There are specific requirements for data crossing the EU border. For example, in an e-commerce scenario. However, this is comparatively easier as you can control the database housing your EU customers. But what about remote employees? Things can get a bit complicated there. As you now have to worry about their data and the data they are accessing from the organization. Without a dedicated remote employee monitoring solution, it will be hard to trace such activities and data movements.


Teramind helps companies with all stages of the GDPR readiness and then ensures long-term compliance with our powerful ‘designed for compliance’ solution.  For you benefits, we have simplified GDPR compliance in 3 easy steps:

  1. Auto discovery and classification of regulated personal data;
  2. Ongoing monitoring of the said data to ensure its integrity and security;
  3. And then finally, a thorough incident audit mechanism to satisfy the data breach reporting requirements within 72 hours.

Visit our Teramind for GDPR page to learn more or check out our interactive demo to discover all the features of Teramind for yourself. You can also ask for a presentation from one of our product specialists.