Regulation 2016/679 of the European Parliament and of the Council - General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) compliance report helps you assess your web application's security against the data protection requirements of European Union (EU) Regulation 2016/679.
About the General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. It establishes a comprehensive framework for protecting the personal data and privacy of individuals within the EU and the European Economic Area (EEA). It also applies to organizations outside the EU if they handle the personal data of EU or EEA residents.
Core principles
- Lawfulness, fairness, and transparency
- Data must be processed legally, fairly, and in a transparent way.
- Purpose limitation
- Data must only be collected for specified, explicit, and legitimate purposes.
- Data minimization
- Only data necessary for the stated purpose should be collected.
- Accuracy
- Data must be accurate and kept up to date.
- Storage limitation
- Data should only be kept as long as necessary.
- Integrity and confidentiality
- Data must be processed securely.
- Accountability
- Organizations are responsible for complying and must be able to demonstrate compliance.
Covered entities
GDPR applies to any organization or person that determines how or why personal data is processed, or processes it on behalf of another.
Obligations for organizations
- Obtain clear consent when required.
- Maintain records of processing activities.
- Implement appropriate security measures (encryption, access controls, etc.).
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk activities.
- Appoint a Data Protection Officer (DPO) in certain cases.
- Report personal data breaches to authorities within 72 hours.
Compliance penalties
- Supervisory authorities in each EU member state oversee compliance.
- Non-compliance can result in fines up to €20 million or 4% of global annual turnover, whichever is higher.
- Regulators also have powers to issue warnings, reprimands, and impose temporary or permanent bans on data processing.
AppScan's GDPR Compliance report
This report automatically identifies potential issues in your web application that can affect your compliance with the security requirements in Article 32 of the GDPR.
GDPR report vulnerability groups
The following table lists the specific GDPR vulnerability groups that AppScan Enterprise evaluates. Vulnerabilities found in your application are mapped to these vulnerability groups.
| Article | Description |
|---|---|
| Article 32, Section 1 | Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. |
| Article 32, Section 1.a | The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including inter alia as appropriate: the pseudonymisation and encryption of personal data. |
| Article 32, Section 1.b | The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including inter alia as appropriate: the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. |