GDPR Article 32: Security of Processing

The General Data Protection Regulation (GDPR) Audit reports provide documentation and compliance artifacts that help you demonstrate compliance with requirements outlined by GDPR.

The GDPR Article 32: Data Protection by Design and by Default report describes and provides access to features in the Alert Logic console that help demonstrate compliance with GDPR Article 32.

To access the GDPR Article 32: Security of Processing report:

  1. In the Alert Logic console, click the menu icon (), and then click Validate.
  2. Click Reports, and then click Compliance.
  3. Under GDPR Audit, click VIEW.
  4. Click GDPR Article 32: Security of Processing.

Filter the Report

To refine your findings, you can filter your report by date range and customer account.

Filter the report using drop-down menus

By default, Alert Logic includes (All) filter values in the report.

To add or remove filter values:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

The report summary page displays two columns. Requirements lists each requirement from the selected GDPR Article. Available Documentation and Artifacts describes and contains links to the documentation and compliance artifacts that this report can generate to meet each requirement listed by the GDPR Article.

Available documentation and artifacts

This report provides documentation and artifacts that help you demonstrate that policies and procedures are implemented to protect data by design and by default.

Requirements 1 and 2

Requirement 1 of GDPR Article 32 requires that the controller and processor implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  3. the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process of regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

Requirement 2 of GDPR Article 32 requires that the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed be taken into account when assessing the appropriate level of security.

This section provides you with the following links for quick access to appropriate pages in the Alert Logic console:

  • The Deployments page, where you can Manage Scan Schedules for the deployments in your environments to detect software and application vulnerabilities, risky configurations, and systems with encryption issues.
  • The Health console, where you can check the status of your networks monitored by the Network IDS to identify potential threat activity including data exfiltration, brute force, privilege escalations, and command and control exploits.
  • The Health console, where you can check the status of your agent configuration for log management collection, which supports analysis for indicators of compromise, suspicious behaviors, and support incident response forensics.
  • The Alert Logic Managed Web Application Firewall (WAF) configuration page, where you can Configure Alert Logic Managed Web Application Firewall (WAF) to block dozens of web application attack classifications.
  • The Deployments page, where you can configure File Integrity Monitoring to change how you monitor specific file paths.
  • The Extended Endpoint Protection configuration page, where you can Manage Endpoints and review the protection status, anti-malware software version status, and last check-in time for Windows and macOS endpoints in your environment.

Requirement 3

Requirement 3 of GDPR Article 32 states that adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraph 1 of GDPR Article 32.

Alert Logic does not provide data for this requirement.

Requirement 4

Requirement 3 of GDPR Article 32 requires that the controller and processor take steps to ensure that any natural person who has access to personal data and is acting under the authority of the controller or processor does not process them except on instruction from the controller, unless he or she is required to do so by Union or Member State law.

Alert Logic does not provide data for this requirement.