GDPR: How to Achieve Compliance with Minimal Effort

  • GDPR

It has been 2 years since GDPR came into effect and it seems privacy and data protection have never been more important. During this period, many companies like British Airways, Marriott, Google, 1&1 Telecom GmbH were fined for data protection violations and suffered painful reputation and financial losses. They failed to apply the necessary technological measures to achieve GDPR compliance and protect personal data. What happened to them was a wake-up call that all organizations must be meticulous in fulfilling their obligation.

In helping you to do so, we have previously covered most GDPR best practices and security safeguards you need to implement, ranging from GDPR logging requirements,  consent management, accountability aspects and more. Below is a quick overview of the regulation’s main technological measures necessary together with an outline of how you can cover them in the most secure way possible – by using SentinelTrails, our secure audit trail solution.  You will note, that to make organizational life and reporting easier, we have also implemented a GDPR tool within the event logging software, ensuring easy integration in conjunction with GDPR fulfillment.

 

Mapping between GDPR and SentinelTrails

Key IssuesSource of Requrement RequrementSolution
Data Protection OfficerArt. 38 GDPR – Position of the data protection officer  The controller and processor shall support the data protection officer in performing the tasks (..) providing resources necessary to carry out those tasks and access to personal data and processing operations The sophisticated dashboard of SentinelTrails provides rich reporting and visualisation, which can illustrate: 
– User activity in terms of processing 
– All the processes across the organisations and systems
– Log aggregation that captures all business-related activities from all systems making fraud investigation easy 
Art. 39 GDPR – Tasks of the data protection officer – (…) to monitor compliance with this Regulation,– SentinelTrails supports creating and maintaining Record of Processing activities as per Art. 30 which is important for the DPO to be easy to access and verify with the activities themselves. Furthermore, SelninelTrails’ audit logs can be linked with a GDPR co-relation key to the record of processing activities so every action can be associated with the respective processing activity causing it.
 – (…) to provide advice where requested as regards the data protection impact assessment and monitor its performance– The DPO can easily monitor all GDPR-related business processes and activities using the SentinelTrails’ sophisticated dashboard and real-time reporting. The DPO can also receive automated custom reports in a certain period of time 
– (…) to cooperate with the supervisory authority;– The DPO can grant the supervisory authority with read-only access to all evidences of certain GDPR-related actions. This way the authority will be provided with legitimate digital evidences and at the same time the confidential data disclosed will be minimised reducing the risk of data compromising 
SecurityArt. 6 GDPR – Lawfulness of processing (…) the existence of appropriate safeguards, which may include encryption or pseudonymisation. SentinelTrails supports: 
– Flexible encryption configuration via UI
– Search in encrypted data
– Blockchain-protected encryption of every log data 
Art. 32 GDPR – Security of processing (…) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; Sentinel Trails can collect all modifications to data. Then periodic comparisons can be performed by utilizing our APIs to make sure that the data in the database is indeed what it is expected to be, and neither accidental, nor malicious modifications were performed. Your company will be able to prove to 3rd parties, e.g. auditors, that the integrity of your data is sound. And that’s cryptographically guaranteed, so you don’t have to take our word for it, you can check the hashes and proofs yourself.
(…) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.  
 SentinelTrails’ blockchain-protected, unmodifiable audit trail ensures that your data is tamper-evident and timestamped 
Records of Processing Activities Art. 5 GDPR – Principles relating to processing of personal data Personal data shall be: (…) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (…) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). SentinelTrails ensures that the personal data is being collected and processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, by keeping log of every single action related to this data, which can be co-related with actors, events, and data subjects across all systems 
Art. 30 GDPR – Records of processing activities Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibilitySentinelTrails has a dedicated “Records of Processing activities” module which form contains all the information required by GDPR and /or added as a guideline from local authorities templates.  Furthermore, the record of processing activities is related with the logs of the corresponding activities so they can be easily mapped and tracked down for auditing purposes.  The system supports creation of lists of third-party data processors and entities. 
Privacy by Design Art. 25 GDPR – Data protection by design and by default The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.SentinelTrails ensures full accountability of data by providing log aggregation captures all business-related activities across systems. These logs can be easily tracked down and checked for auditing purposes. SentinelTrails can also be used as a complementary solution to SIEMs, which don’t always capture audit logs needed for GDPR compliance. With SentinelTrails, every event can be used as evidence in legal proceedings due to the use of advanced and qualified electronic timestamps 
ProcessingArt. 29 GDPR – Processing under the authority of the controller or processorThe processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.As a processor (contractor) the company can grant access to external auditors /controllers to review all processing activities related to the controller’s data they process, along with evidences of their accurate processing. 
Storing consent Art. 6 GDPR – Lawfulness of processing– the data subject has given consent to the processing of his or her personal data (..)– SentinelTrails helps demonstrate that personal data has been accessed only by authorized personnel and hasn’t been tampered with which satisfies the integrity and confidentiality requirements of GDPR
– processing is necessary for the performance of a contract (..)– SentinelTrails allows storing of consent and request by data subjects in a secure way. It may not be enough to simply store a boolean column in the database – the date and time of the consent, the user’s IP address and other metadata may be needed. Additionally, as SentinelTrails signs entries with a trusted timestamp, they have additional legal strength according to the eIDAS regulation. The /api/log-gdpr API endpoints provide a way to log GDPR-specific events
– processing is necessary for compliance with a legal obligation (..) 
– processing is necessary in order to protect the vital interests of the data subject (..) 
– processing is necessary for the performance of a task carried out in the public interest (..) 
– processing is necessary for the purposes of the legitimate interests (..)  
Art. 7 GDPR – Conditions for consent – (…) the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.– SentinelTrails can track down consent and extract it from different systems, streaming all data from consents in one place 
– (…) the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.-Consent withdrawal can also be recorded and timestamped securely as a digital evidence by SentinelTrails 
– (…) The data subject shall have the right to withdraw his or her consent at any time. 
Art. 8 GDPR – Conditions applicable to child’s consent in relation to information society services – (…) the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.SentinelTrails ensures a timestamped evidence, providing information when and in which system the consent was given.
– (…) The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child 
 Art. 9 GDPR – Processing of special categories of personal data – (…) the data subject has given explicit consent to the processing of those personal data for one or more specified purposesAs data subjects should be asked explicitly for each special category of personal data, SentinelTrails can keep securely a digital evidence of every separate consent given. The Consents can also be searched by keywords so the dashboard of SentinelTrails provides the possibility to check all the consents given by a particular data subject, or to get reports on aggregated inforrmation about number of consents received, withdrawn, types of consents, etc
– (…)processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller
– (…) processing is necessary to protect the vital interests 
– (…) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation 
Art. 22 GDPR – Automated individual decision-making, including profiling The data subject shall have the right not to be subject to a decision based solely on automated processing (..) except it is based on the data subject’s explicit consent. SentinelTrails can also gather and store safely such kinds of consents. There is a reporting option allowing export of data related to consent, so such data subjects can easily be excluded by automated decision-making processes 
Art. 49 GDPR – Derogations for specific situations – (…) the data subject has explicitly consented to the proposed transferSentinelTrails keeps track on every business process vital for the organisation.  In cases where there are derogations of specific situations as per GDPR, Sentinel Trails allows quick finding of the searched data by searching in encrypted records through the logs 
– (…) the transfer is necessary for the performance of a contract between the data subject and the controller
– (…) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject 
– (…) the transfer is necessary for important reasons of public interest; 
– (…) the transfer is necessary for the establishment, exercise or defence of legal claims;
 -(…) the transfer is necessary in order to protect the vital interests of the data subject
-(…) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest 

Since GDPR came into force, we have helped many of our partners achieve compliance with no compromise. If you would like to learn how SentinelTrails can help you easily cover all GDPR logging and data protection requirements, relieve audit, reporting and forensics, just book a demo: