GDPR Compliance

Overview

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that applies to organizations processing personal data of EU residents. Wazuh helps organizations monitor technical and organizational measures required for GDPR compliance through security event detection and data protection controls. Wazuh maps security events to GDPR articles and requirements through the rule.gdpr field. The compliance requirements are defined in: Source: plugins/main/common/compliance-requirements/gdpr-requirements.ts

Data Security Principles (Chapter II)

II_5.1.f - Confidentiality and Integrity

Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, verifying its modifications, accesses, locations and guarantee the safety of them. File sharing protection and file sharing technologies that meet the requirements of data protection.Technical Measures:

System integrity monitoring
Access control verification
File sharing security
Encryption verification
Backup and disaster recovery

Monitored by: File integrity monitoring, access logs, encryption status checks, availability monitoring

Rights of Data Subjects (Chapter III)

III_14.2.c - Right to Restriction

Restrict the processing of personal data temporarily.Technical Measures:

Data processing controls
Temporary access restrictions
Processing activity logs

Monitored by: Data access events, processing activity tracking, restriction implementation logs

III_17 - Right to Erasure

Permanently erase personal information of a subject (“right to be forgotten”).Technical Measures:

Secure data deletion
Erasure verification
Backup purging
Audit trail of deletions

Monitored by: Data deletion events, erasure completion verification, backup system logs

Controller and Processor Obligations (Chapter IV)

IV_24.2 - Accountability

Be able to demonstrate compliance with the GDPR by complying with data protection policies.Technical Measures:

Policy enforcement monitoring
Compliance evidence collection
Audit trail generation
Documentation of technical measures

Monitored by: Policy violation alerts, compliance reporting, security event logging

IV_28 - Processor Security

Ensure data protection during processing, through technical and organizational measures.Technical Measures:

Processing activity monitoring
Security control implementation
Third-party processor oversight
Data processing agreements enforcement

Monitored by: Processing security events, control effectiveness checks, processor activity logs

IV_30.1.g - Records of Processing Activities

It is necessary to keep all processing activities documented, to carry out an inventory of data from beginning to end and an audit, in order to know all the places where personal and sensitive data are located, processed, stored or transmitted.Technical Measures:

Data flow mapping
Processing activity logging
Data location tracking
System inventory management

Monitored by: Data access events, processing logs, data transfer monitoring, system discovery alerts

IV_32.1.c - Data Loss Prevention

Data Loss Prevention (DLP) capabilities to examine data flows and identify personal data that is not subject to adequate safeguards or authorizations. DLP tools can block or quarantine such data flows. Classify current data appropriately to determine specific categories of data that will be subject to the GDPR.Technical Measures:

DLP system monitoring
Data classification enforcement
Unauthorized data transfer detection
Data flow analysis
Quarantine and blocking controls

Monitored by: DLP alerts, data transfer violations, classification errors, unauthorized access attempts

IV_32.2 - Access Control and Monitoring

Account management tools that closely monitor actions taken by standard administrators and users who use standard or privileged account credentials are required to control access to data.Technical Measures:

Privileged access monitoring
User activity tracking
Account management logging
Access control enforcement
Anomalous behavior detection

Monitored by: Privileged command execution, account changes, access violations, suspicious user activity

IV_33 - Data Breach Notification

Notify the supervisory authority of a violation of the data in 72 hours and in certain cases, the injured parties.Technical Measures:

Breach detection systems
Incident response automation
Notification workflow systems
Incident timeline tracking

Monitored by: Security incident alerts, data breach indicators, unauthorized access detection, data exfiltration attempts

IV_35.1 - Data Protection Impact Assessment (DPIA)

Perform a data protection impact evaluation for high risk processes. Implement appropriate technical measures to safeguard the rights and freedoms of data subjects, informed by an assessment of the risks to these rights and freedoms.Technical Measures:

Risk assessment automation
High-risk processing identification
Technical safeguard implementation
Control effectiveness monitoring

Monitored by: High-risk activity detection, control failures, security measure effectiveness metrics

IV_35.7.d - Security and Incident Response

Capabilities for identification, blocking and forensic investigation of data breaches by malicious actors, through compromised credentials, unauthorized network access, persistent threats and verification of the correct operation of all components.Network perimeter and endpoint security tools to prevent unauthorized access to the network, prevent the entry of unwanted data types and malicious threats. Anti-malware and anti-ransomware to prevent malware and ransomware threats from entering your devices.A behavioral analysis that uses machine intelligence to identify people who do anomalous things on the network, in order to give early visibility and alert employees who start to become corrupt.Technical Measures:

Intrusion detection/prevention systems
Endpoint security monitoring
Anti-malware protection
Behavioral analytics
Forensic logging
Network segmentation
Credential compromise detection

Monitored by: IDS/IPS alerts, malware detection, anomalous behavior patterns, compromised credential usage, lateral movement attempts, ransomware activity

Open GDPR Module

Navigate to the GDPR section in the Wazuh Dashboard overview.

Review Article Compliance

The dashboard displays GDPR articles organized by chapter (II, III, IV).

Filter by Chapter

Click on chapter categories (II, III, IV) to view specific articles.

Analyze Compliance Events

Review security events mapped to each GDPR requirement.

Dashboard Components

The GDPR dashboard includes:

Top articles by alert count - Identifies areas needing attention
Chapter distribution - Shows compliance across GDPR chapters
Data breach indicators - Highlights potential Article 33 violations
Access control violations - Tracks Article 32 compliance

Source: plugins/main/public/components/overview/gdpr/dashboards/dashboard-panels.ts

Data Source Implementation

The GDPR data source filters events by the rule.gdpr field:

const KEY_EXIST = 'rule.gdpr';

Reference: plugins/main/public/components/common/data-source/pattern/events/gdpr/gdpr-data-source.ts:5

Event Columns

GDPR events table displays:

Timestamp
Rule description
GDPR article (rule.gdpr field)
Alert level
Data subject impact
Agent information

Source: plugins/main/public/components/overview/gdpr/events/gdpr-columns.tsx:8 GDPR requirements follow the pattern [CHAPTER]_[ARTICLE].[PARAGRAPH].[POINT]:

II_5.1.f - Chapter II (Principles), Article 5, Paragraph 1, Point (f)
III_14.2.c - Chapter III (Rights), Article 14, Paragraph 2, Point (c)
IV_32.1.c - Chapter IV (Controller/Processor), Article 32, Paragraph 1, Point (c)

Define Audit Period

Select the date range for the GDPR compliance report.

Filter by Article

Focus on specific GDPR articles relevant to your audit (e.g., Article 32 for security, Article 33 for breach notification).

Include Data Protection Measures

Document technical measures implemented for each article.

Export Evidence

Generate reports showing compliance events and security control effectiveness.

Article 32: Security of Processing

Monitor technical measures for data security:

Pseudonymisation & Encryption

Track encryption usage and pseudonymisation controls through security events.

Confidentiality Monitoring

Monitor unauthorized access attempts and data confidentiality violations.

Integrity Protection

Use file integrity monitoring to ensure data integrity (Article II_5.1.f).

Availability Assurance

Track system availability and resilience through monitoring events.

Article 33: Breach Notification

Wazuh helps meet the 72-hour notification requirement:

Real-time breach detection - Immediate alerts for security incidents
Incident timeline - Automatic logging of breach discovery time
Impact assessment - Data on affected systems and potential data subjects
Evidence collection - Forensic data for breach notification documentation

Article 35: Data Protection Impact Assessment

Monitor high-risk processing activities:

Identify processing that requires DPIA through alert patterns
Track implementation of risk mitigation measures
Monitor effectiveness of technical safeguards
Document security controls for DPIA evidence

Data Subject Rights Monitoring

Wazuh supports monitoring technical implementation of data subject rights:

Right	GDPR Article	Wazuh Monitoring
Right to erasure	III_17	Data deletion events, backup purging logs
Right to restriction	III_14.2.c	Processing restriction implementation logs
Right to portability	Article 20	Data export and transfer monitoring
Right to rectification	Article 16	Data modification and correction logs

Integration with Other Modules

GDPR requirements appear in:

MITRE ATT&CK view - Maps data protection to attack techniques
File Integrity Monitoring - Supports Article II_5.1.f (integrity)
Vulnerability Detection - Identifies security risks (Article 32)

Reference: plugins/main/public/components/overview/mitre/framework/components/techniques/components/rule-details.tsx:114

Requirement Data Structure

The complete GDPR requirements mapping:

export const gdprRequirementsFile = {
  'II_5.1.f': 'Ensure the ongoing confidentiality, integrity...',
  'III_14.2.c': 'Restrict the processing of personal data temporarily.',
  'III_17': 'Permanently erase personal information...',
  'IV_24.2': 'Be able to demonstrate compliance...',
  'IV_28': 'Ensure data protection during processing...',
  'IV_30.1.g': 'Keep all processing activities documented...',
  'IV_32.1.c': 'Data Loss Prevention capabilities...',
  'IV_32.2': 'Account management tools that closely monitor...',
  'IV_33': 'Notify the supervisory authority...',
  'IV_35.1': 'Perform a data protection impact evaluation...',
  'IV_35.7.d': 'Capabilities for identification, blocking...',
};

Full definition: plugins/main/common/compliance-requirements/gdpr-requirements.ts:12

Best Practices

Focus on Article 32

Prioritize security of processing measures - the technical foundation of GDPR.

Monitor Article 33 Triggers

Set up alerts for potential data breaches to enable 72-hour notification.

Document Technical Measures

Use Wazuh logs as evidence of Article 32 technical measures implementation.

Regular DPIA Updates

Review high-risk processing alerts to update DPIAs (Article 35).

Compliance Overview
[File Integrity Monitoring(/modules/file-integrity-monitoring) - Supports Article II_5.1.f
[Log Analysis(/modules/threat-hunting) - Supports Article 30 (records of processing)
[Incident Response(/guides/threat-analysis) - Supports Article 33 (breach notification)

Get Started

Core Concepts

Security Modules

Compliance

Cloud Integrations

Agent Management

Configuration

Development

Overview

Data Security Principles (Chapter II)

Rights of Data Subjects (Chapter III)

Controller and Processor Obligations (Chapter IV)

Dashboard Components

Data Source Implementation

Event Columns

Article 32: Security of Processing

Pseudonymisation & Encryption

Confidentiality Monitoring

Integrity Protection

Availability Assurance

Article 33: Breach Notification

Article 35: Data Protection Impact Assessment

Data Subject Rights Monitoring

Integration with Other Modules

Requirement Data Structure

Best Practices

Focus on Article 32

Monitor Article 33 Triggers

Document Technical Measures

Regular DPIA Updates

Build docs developers (and LLMs) love

Get Started

Core Concepts

Security Modules

Compliance

Cloud Integrations

Agent Management

Configuration

Development

​Overview

​GDPR Requirements Coverage

​Data Security Principles (Chapter II)

​Rights of Data Subjects (Chapter III)

​Controller and Processor Obligations (Chapter IV)

​Using the GDPR Dashboard

​Accessing GDPR Compliance View

​Dashboard Components

​Data Source Implementation

​Event Columns

​Compliance Reporting for GDPR

​GDPR Article Naming Convention

​Generating GDPR Reports

​GDPR-Specific Use Cases

​Article 32: Security of Processing

Pseudonymisation & Encryption

Confidentiality Monitoring

Integrity Protection

Availability Assurance

​Article 33: Breach Notification

​Article 35: Data Protection Impact Assessment

​Data Subject Rights Monitoring

​Integration with Other Modules

​Requirement Data Structure

​Best Practices

Focus on Article 32

Monitor Article 33 Triggers

Document Technical Measures

Regular DPIA Updates

​Related Documentation

Build docs developers (and LLMs) love

Overview

GDPR Requirements Coverage

Data Security Principles (Chapter II)

Rights of Data Subjects (Chapter III)

Controller and Processor Obligations (Chapter IV)

Using the GDPR Dashboard

Accessing GDPR Compliance View

Dashboard Components

Data Source Implementation

Event Columns

Compliance Reporting for GDPR

GDPR Article Naming Convention

Generating GDPR Reports

GDPR-Specific Use Cases

Article 32: Security of Processing

Article 33: Breach Notification

Article 35: Data Protection Impact Assessment

Data Subject Rights Monitoring

Integration with Other Modules

Requirement Data Structure

Best Practices

Related Documentation