The 2020 Alarming Trends in GDPR Fines and How to Avoid Them

It’s been almost two years since GDPR came into force. During this period, many huge companies were under the hackers’ radar and they suffered from losing both reputation and financial assets.

Companies like British Airways, Marriott, and Google were in the spotlight because they failed to apply the technological measures necessary to protect personal data.  This caused a major loss of public trust and huge figures in financial loss.

Top Reasons For Companies to be Fined: The Alarming Trends

According to Enforcementtracker.com – a website tracking fines that went into effect across all EU countries’ authorities, the top violation reason for a company to get fined is “Insufficient technical and organizational measures to ensure information security”.

This means that most of the companies neglected their information security measures. The concerning aspect is that big companies such as British Airways, fail to ensure high security of their passengers’ personal data, causing a significant drop in their assets.

Another core reason was Insufficient legal basis for data processing. And while in some cases this would be caused simply because the companies do not believe they would be fined, in others the legal basis would simply be considered insufficient, for instance, the consent could have never been recorded. To ensure sufficient digital evidence, companies should ensure they keep an immutable record of every consent given and withdrawn, as evidence for future references. 

Non-compliance with general data processing principles is the third most usual reason for a company to be fined for not complying with GDPR by the authorities. It is more common and can be addressed with different aspects of personal data processing. This, however, means that a decent amount of organizations still don’t apply some of the core principles to GDPR. 

How Can LogSentinel Help Your Company Achieve a Higher Level of Compliance?

LogSentinel’s information security solutions help companies achieve higher levels of regulatory compliance by protecting every single piece of data from insider and outsider breach attempts. Furthermore, our security solutions have built-in auditors modules so they become extremely useful for every internal, external auditor, DPO and compliance officer. 

Insufficient technical and organizational measures to ensure information security

SentinelTrails, LogSentinel’s secure audit trail solution, ensures data integrity across all your systems, protecting every single log of evidence thanks to the advanced blockchain technology used. SentinelTrails provides a centralized command center to your risk, compliance, or security teams, giving full observability across all systems and users, ensuring total protection from data tampering from insiders. 

Furthermore, SentinelTrails’ AI-driven fraud and anomaly detection module send immediate notifications when any unusual activity is being detected – from trivial cases such as suspicious logging in outside the working hours, through too many failed login attempts, to sophisticated and hard-to-catch suspicious activities related to a given user’s anomaly behavior. 

SentinelTrails gives you full control over all processes concerning personal data, providing a detailed overview of everything that happens within your systems in real-time. 

And while SentinelTrails keeps you updated on every anomaly activity that happens in your systems, SentinelDB arms you with a bullet-proof database, guarding every single piece of data with advanced, per-record encryption. SentinelDB is a secure, NoSQL database that uses AI and blockchain technology to deliver you undisputable “Privacy-by-Design”. SentinelDB ensures that sensitive data cannot be compromised by no means. SentinelDB supports SentinelTrails secure audit trail to deliver the best quality of data storage. 

GDPR: Applying Sufficient Technical and Organisational Measures to Ensure Information Security, Using LogSentinel's Solutions

 

GDPR Coverage / Solution

Data Integrity

Logging Requirements

Records of Processing Activities

Data Deletion Records

Fraud and Anomaly Detection

Real-time incident notification sending

Digital Forensics 

Advanced Encryption

User Access Monitoring

Data correlation between logs and activities

Evidence of Consent Given

Privacy by Design

SentinelTrails

 

SentinelDB

 

 

 

 

 

 

 

 

 

Insufficient legal basis for data processing

In terms of ensuring the legal basis for data processing for every single instance, companies need to keep very clear communication between their legal and compliance teams. Having too many processes and too many departments processing personal data increases the likelihood of poor supervision on a legal basis for data processing. 

That’s why we from LogSentinel advise our clients to use the detailed processing activities reporting available in their account. Having a report with data correlation between logs and activities will cut the manual efforts of your auditors. They can easily revise every single process concerning personal data, and how is this data being used, matching it with the legal basis for every one of them. This information would be highly valuable for the legal team as well, as this way they can easily get a full overview of the processing activities and the corresponding legal basis. 

GDPR: Ensuring Sufficient Legal Basis for Data Processing, Using LogSentinel

 

GDPR Coverage / Solution

Keeping a record of processing activities

Keeping digital evidence of every  consent given

Cross-matching consent, real-time activities, processing details, and legal basis

Real-time reporting of processing activities

Scheduled reporting of processing activities

Auditors’ (read-only) access to processing activities

SentinelTrails

Sentinel-Trails-dashboard-GDPR

Non-compliance with general data processing principles

Article 5 of the GDPR sets out seven key principles that lie at the heart of the general data protection regime. It’s important to follow them, however, not having a centralized place where all data protection-related processes are being recorded, aggregated and analyzed would mean tons of work for your compliance officers. We believe that the key to successful compliance with these principles lays in keeping evidence of every single GDPR-related action. We know how hard the job of a data protection officer is, and for this reason, we prepared a list of activities that our solution automates in order to make their trackability possible.

GDPR: Achieving Compliance with General Data Processing Principles, Using LogSentinel
 
GDPR PrincipleHow LogSentinel helps you cover it
Lawfulness, fairness, and transparencySentinelTrails enables you to export reports to your legal team, visualizing all the processing activities, and mapping them with the actual processes within the organization. This helps your legal team to provide more accurate advice to your company, reducing the risks of leaving unlawful practices unnoticed
Purpose limitationEvery processing activity is recorded in SentinelTrails’ GDPR tool with its corresponding purpose. This way your auditing team spends less time in manual checks
Data minimizationWith GDPR coming to force, revising purposes for using personal data is becoming a routine procedure. With SentinelTrails, you prepare business analysis reports, visualizing which teams use what type of data, and based on the reports, minimize the used and required
Storage limitation / RetentionWith SentinelDB, you set up data deletion periods and ensure you do not store data more than needed
Integrity and confidentiality (security)SentinelTrails ensure full data integrity across all systems, thanks to the blockchain-protected, immutable audit trail.
AccountabilityThe accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance. With SentinelTrails, you easily demonstrate the measures taken in terms of data protection, by pulling a report with all corresponding activities regarding this matter.

Conclusion

It’s been nearly 2 years since the GDPR came into force. Many big companies realized that simply having a DPO is not going to solve their problems with guarding personal data because this should be a team activity between all departments involved. Otherwise, the job of the DPO/Compliance Officer will be an endless nightmare, involving tons of manual checks, and struggles in finding evidence. We at LogSentinel believe that we can reduce the stressful job by reducing the data breach risk, and automating a lot of manual work concerning data protection routines.

Talk to us today and see how LogSentinel helps companies achieve high information security and undisputable compliance.