GDPR Compliance
The General Data Protection Regulation (GDPR) policy framework detects personal data exposure and generates violations according to EU data protection requirements.
Availability: GDPR policy is included in all editions (Basic and Enterprise).
Overview
GDPR establishes requirements for protecting personal data of EU residents. Aquilon DLP’s GDPR policy helps data controllers and processors comply with:
- Article 5: Principles relating to processing of personal data
- Article 32: Security of processing
- Article 33: Notification of personal data breach
Personal Data Categories
The GDPR policy detects:
| Data Category | Scanners | Severity | GDPR Article |
|---|---|---|---|
| National ID Numbers | ssn, EU national IDs (see below) | Critical | 9 (Special) |
| Financial Data | iban, credit_card, bank_account | High | 9 |
| Health Data | health_record, medical_record_number | Critical | 9 |
| Biometric Data | biometric | Critical | 9 |
email | Medium | 4 | |
| Phone | phone | Medium | 4 |
| Address | address | Medium | 4 |
| Date of Birth | date_of_birth | Medium | 4 |
| Passport | passport | High | 4 |
EU/EEA National ID Coverage
The GDPR policy includes 15 specialized scanners for national identification numbers across EU and EEA member states. Each scanner validates country-specific checksum algorithms to reduce false positives.
European National IDs
| Country | Scanner | Format | Validation |
|---|---|---|---|
| France | france_nir | 15 digits (NIR) | Mod 97 |
| Germany | germany_steurid | 11 digits (Steuer-ID) | Format rules |
| Italy | italy_cf | 16 chars (Codice Fiscale) | Mod 26 |
| Spain | spain_dni | 8-9 chars (DNI/NIE) | Mod 23 |
| Poland | poland_pesel | 11 digits (PESEL) | Weighted mod 10 |
| Netherlands | netherlands_bsn | 9 digits (BSN) | 11-proof |
| Belgium | belgium_nrn | 11 digits (NRN) | Mod 97 |
| UK | uk_nino | 9 chars (NINO) | Format rules |
| Sweden | sweden_personnummer | 10-12 digits | Luhn |
| Norway | norway_fodselsnummer | 11 digits | Dual mod-11 |
| Finland | finland_hetu | 11 chars (HETU) | Mod 31 |
| Portugal | portugal_nif | 9 digits (NIF) | Weighted mod 11 |
| Romania | romania_cnp | 13 digits (CNP) | Weighted mod 11 |
| Czech/Slovakia | czech_rodne_cislo | 9-10 digits | Mod 11 |
| Turkey | turkey_tc_kimlik | 11 digits (TC Kimlik) | Two-step checksum |
Note: Turkey’s KVKK (Kişisel Verilerin Korunması Kanunu) is modeled on GDPR. Turkish national IDs are included for organizations processing Turkish residents’ data under GDPR-equivalent requirements.
Context Detection
Each national ID scanner uses country-specific context keywords to increase detection confidence:
- Nordic: personnummer, fødselsnummer, henkilötunnus, Skatteverket, Folkeregisteret
- Western Europe: NIR, Steuer-ID, codice fiscale, DNI, BSN, NRN, NINO
- Eastern Europe: PESEL, CNP, rodné číslo
- Turkey: TC Kimlik, Kimlik No, Nüfus
See the Policy Frameworks guide for the complete list of all 28 national ID scanners across all regions.
Special Category Data
Article 9 special category data receives elevated severity:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
Scanner Mappings
Critical Severity
Special category data under Article 9:
- Health Data: Medical records, health information
- Biometric Data: Fingerprints, facial recognition
- National IDs: SSN, government-issued identifiers (when combined with health details)
High Severity
Personal data enabling direct identification:
- Financial Identifiers: IBAN, credit cards, bank accounts
- Travel Documents: Passport numbers
- National IDs: In general contexts
Medium Severity
Personal data requiring details:
- Contact Information: Email, phone, address
- Dates: Date of birth
- Names: When combined with other data
Configuration
Basic Configuration
[policies]
enabled_policies = ["gdpr"]
Advanced Configuration
[policies.policy_configs.gdpr]
settings = { confidence_threshold = "0.7", sensitivity_level = "2", detect_special_categories = "true" }
Configuration Options
| Option | Description | Default |
|---|---|---|
confidence_threshold | Minimum scanner confidence | 0.7 |
sensitivity_level | Severity multiplier (1-3) | 2 |
detect_special_categories | Elevate Article 9 data | true |
Context Detection
The GDPR policy analyzes context to determine severity. Enable the gdpr_phone context profile for phone number classification:
[context]
enabled_profiles = ["gdpr_phone"] # Add to existing profiles
Phone Number Context
The gdpr_phone profile distinguishes personal from business phone numbers:
- Personal indicators (triggers violation): mobile, cell, home phone, personal, private, emergency contact
- Business indicators (suppresses violation): office, fax, support, helpdesk, extension, toll-free, switchboard
Note: Phone numbers without personal context do NOT trigger GDPR violations. A bare phone number like
555-123-4567requires nearby keywords like “mobile” or “cell” to be flagged.
EU Context Keywords
- EU member states: Germany, France, Italy, Spain, etc.
- GDPR terms: data subject, controller, processor, consent
- Languages: Non-English European languages increase confidence
Employee vs Customer Context
Employee data in HR systems may have reduced severity (legitimate interest):
Finding: Email "employee@company.com"
Context: "HR records for performance review"
Result: Severity reduced from High → Medium (employee details)
Customer data maintains full severity.
Violation Metadata
Each GDPR violation includes:
{
"policy": "GDPR",
"severity": "high",
"data_category": "personal_data",
"special_category": false,
"gdpr_article": "5(1)(f)",
"lawful_basis_required": true,
"breach_notification_hours": 72
}
Compliance Reporting
Query Personal Data Exposures
-- All GDPR violations requiring attention
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'GDPR'
ORDER BY severity DESC, timestamp DESC;
Special Category Data (Article 9)
-- Special category data requiring elevated protection
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'GDPR'
AND severity = 'critical';
Personal Data by Type
-- Personal data grouped by scanner type
SELECT scanner, COUNT(*) as count
FROM aquilon_dlp_alerts
WHERE policy = 'GDPR'
GROUP BY scanner
ORDER BY count DESC;
Breach Notification Support
Under Article 33, breaches must be reported within 72 hours:
-- Recent critical findings (potential breach)
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'GDPR'
AND severity = 'critical'
AND timestamp > datetime('now', '-72 hours');
Data Subject Rights
Aquilon DLP findings support data subject rights:
Article 15 - Right of Access
Locate all personal data for a data subject:
-- Find all data for specific identifier
SELECT path, scanner, JSON_EXTRACT(context, '$.snippet') as snippet
FROM aquilon_dlp_alerts
WHERE JSON_EXTRACT(context, '$.snippet') LIKE '%email@example.com%';
Article 17 - Right to Erasure
Verify deletion completeness:
-- Confirm no remaining data after erasure request
SELECT * FROM aquilon_dlp_alerts
WHERE JSON_EXTRACT(context, '$.snippet') LIKE '%data_subject_id%';
Article 20 - Right to Data Portability
Identify structured personal data:
-- Portable data formats
SELECT path, scanner
FROM aquilon_dlp_alerts
WHERE policy = 'GDPR'
AND (path LIKE '%.json'
OR path LIKE '%.csv'
OR path LIKE '%.xml');
Best Practices
Monitoring Strategy
- Immediate alert: Special category data (Article 9)
- Daily review: High severity personal data
- Weekly audit: Medium severity, details accuracy
Data Mapping
Use findings to maintain data mapping:
- Identify: Where personal data is stored
- Classify: By data category and lawful basis
- Document: In Records of Processing Activities
- Review: Regularly for accuracy
Privacy by Design
Integrate findings into development:
-- Personal data in development environments
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'GDPR'
AND (path LIKE '%/dev/%'
OR path LIKE '%/test/%'
OR path LIKE '%/staging/%');
Cross-Border Considerations
EU-Specific Context
The policy detects EU details to determine applicability:
- EU country names or codes
- EU-specific identifiers (IBAN, national IDs)
- EU languages
International Transfers
Monitor for personal data in locations outside EU:
-- Potential international transfers
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'GDPR'
AND path LIKE '%/external/%';