It has been 2 years since GDPR came into effect and it seems privacy and data protection have never been more important. During this period, many companies like British Airways, Marriott, Google, 1&1 Telecom GmbH were fined for data protection violations and suffered painful reputation and financial losses. They failed to apply the necessary technological measures to achieve GDPR compliance and protect personal data. What happened to them was a wake-up call that all organizations must be meticulous in fulfilling their obligation.
In helping you to do so, we have previously covered most GDPR best practices and security safeguards you need to implement, ranging from GDPR logging requirements, consent management, accountability aspects and more. Below is a quick overview of the regulation’s main technological measures necessary together with an outline of how you can cover them in the most secure way possible – by using LogSentinel SIEM. You will note, that to make organizational life and reporting easier, we have also implemented a GDPR tool within the event logging software, ensuring easy integration in conjunction with GDPR fulfillment.
Mapping between GDPR and LogSentinel SIEM
|Source of Requirement
Data Protection Officer
Art. 38 GDPR – Position of the data protection officer
The controller and processor shall support the data protection officer in performing the tasks (..) providing resources necessary to carry out those tasks and access to personal data and processing operations
|The sophisticated dashboard of LogSentinel SIEM provides rich reporting and visualisation, which can illustrate:
|– User activity in terms of processing
|– All the processes across the organisations and systems
|– Log aggregation that captures all business-related activities from all systems making fraud investigation easy
|Furthermore, LogSentinel discovers anomalous insider behaviour and measures the risk of every actor, based on rules and machine-learning. This helps the data protection officer to get a better understanding of every employee’s behaviour and take preventive measures in time.
Art. 39 GDPR – Tasks of the data protection officer
|– (…) to monitor compliance with this Regulation,
|– LogSentinel SIEM supports creating and maintaining Record of Processing activities as per Art. 30 which is important for the DPO to be easy to access and verify with the activities themselves. Furthermore, LogSentinel SIEM’s audit logs can be linked with a GDPR co-relation key to the record of processing activities so every action can be associated with the respective processing activity causing it.
|– (…) to provide advice where requested as regards the data protection impact assessment and monitor its performance
|– The DPO can easily monitor all GDPR-related and security-related business processes and activities using the LogSentinel SIEM’s sophisticated dashboard and real-time reporting. The DPO can also receive automated custom reports in a certain period of time
|– (…) to cooperate with the supervisory authority;
|– The DPO can grant the supervisory authority with read-only access to all evidence of certain GDPR-related actions. This way the authority will be provided with legitimate digital evidence and at the same time the confidential data disclosed will be minimised reducing the risk of data compromising
Art. 6 GDPR – Lawfulness of processing
(…) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
|LogSentinel SIEM supports:
|– Flexible encryption configuration via UI
|– Search in encrypted data
|– Blockchain-protected encryption of every log data
Art. 32 GDPR – Security of processing
|(…) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
|LogSentinel SIEM can collect all modifications to data. Then periodic comparisons can be performed by utilizing our APIs to make sure that the data in the database is indeed what it is expected to be, and neither accidental nor malicious modifications were performed. Your company will be able to prove to 3rd parties, e.g. auditors, that the integrity of your data is sound. And that’s cryptographically guaranteed, so you don’t have to take our word for it, you can check the hashes and proofs yourself.
(…) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
|LogSentinel SIEM supports risk scoring based on rules and machine-learning. This way, your organisation can track the risk scoring individually and overall for all employees, measuring its decrease through time. This way, your organization can very accurately evaluate the effectiveness of technical and organisational measures taken to date
|LogSentinel SIEM’s blockchain-protected, unmodifiable audit trail ensures that your data is tamper-evident and timestamped
|Art. 24 GDPR
Responsibility of the controller
|(…)the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
|LogSentinel SIEM can simplify security and compliance by:
– Threat detection – We leverage rule-based and machine learning-based anomaly detection on multiple data sources to detect threats
– Behaviour Analysis and Risk Scoring – LogSentinel SIEM will analyze user behaviour and risk profile to prevent insider threats, based on data accumulated from all integrated systems
– Threat Intelligence – By connecting LogSentinel SIEM to important threat intelligence sources, your organization can easily detect threats against your infrastructure
– Advanced analytics – your security team will be able to get a visualized reporting on any security threats detected
Records of Processing Activities
|Art. 5 GDPR – Principles relating to processing of personal data
|Personal data shall be: (…) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (…) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
|LogSentinel SIEM ensures that the personal data is being collected and processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, by keeping a log of every single activity related to this data, which can be co-related with actors, events, and data subjects across all systems
|Art. 30 GDPR – Records of processing activities
|Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility
|LogSentinel SIEM has a dedicated “Records of Processing Activities” module which form contains all the information required by GDPR and /or added as a guideline from local authorities templates. Furthermore, the record of processing activities is related to the logs of the corresponding activities so they can be easily mapped and tracked down for auditing purposes. The system supports the creation of lists of third-party data processors and entities.
Privacy by Design
Art. 25 GDPR – Data protection by design and by default
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
|LogSentinel SIEM ensures full accountability of data by providing log aggregation captures all business-related activities across systems. These logs can be easily tracked down and checked for auditing purposes. LogSentinel SIEM can also be used as a complementary solution to SIEMs, which don’t always capture audit logs needed for GDPR compliance. With LogSentinel SIEM, every event can be used as evidence in legal proceedings due to the use of advanced and qualified electronic timestamps
|LogSentinel SIEM monitors and blocks brute-force attacks against RDP and other protocols to ensure that no malicious actors can steal gain access to personal data.
|Art. 29 GDPR – Processing under the authority of the controller or processor
|The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
|As a processor (contractor) the company can grant access to external auditors /controllers to review all processing activities related to the controller’s data they process, along with evidence of their accurate processing.
Art. 6 GDPR – Lawfulness of processing
|– the data subject has given consent to the processing of his or her personal data (..)
|– LogSentinel SIEM helps demonstrate that personal data has been accessed only by authorized personnel and hasn’t been tampered with which satisfies the integrity and confidentiality requirements of GDPR
|– processing is necessary for the performance of a contract (..)
|– LogSentinel SIEM allows storing of consent and request by data subjects in a secure way. It may not be enough to simply store a boolean column in the database – the date and time of the consent, the user’s IP address and other metadata may be needed. Additionally, as LogSentinel SIEM signs entries with a trusted timestamp, they have additional legal strength according to the eIDAS regulation. The /api/log-gdpr API endpoints provide a way to log GDPR-specific events
|– processing is necessary for compliance with a legal obligation (..)
|– processing is necessary in order to protect the vital interests of the data subject (..)
|– processing is necessary for the performance of a task carried out in the public interest (..)
|Every single action associated with data processing can be easily located and co-related with the public interest due to which it was made.
|– processing is necessary for the purposes of the legitimate interests (..)
|Every single action associated with data processing can be easily located and co-related with the legitimate interest due to which it was made.
Art. 7 GDPR – Conditions for consent
|– (…) the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
|– LogSentinel SIEM can track down consent and extract it from different systems, streaming all data from consents in one place
|– (…) the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
|-Consent withdrawal can also be recorded and timestamped securely as digital evidence by LogSentinel SIEM
|– (…) The data subject shall have the right to withdraw his or her consent at any time.
Art. 8 GDPR – Conditions applicable to child’s consent in relation to information society services
|– (…) the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
LogSentinel SIEM ensures timestamped evidence, providing information when and in which system the consent was given.
|– (…) The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child
Art. 9 GDPR – Processing of special categories of personal data
|– (…) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
As data subjects should be asked explicitly for each special category of personal data, LogSentinel SIEM can keep securely digital evidence of every separate consent given. The Consents can also be searched by keywords so the dashboard of LogSentinel SIEM provides the possibility to check all the consents given by a particular data subject, or to get reports on aggregated information about the number of consents received, withdrawn, types of consents, etc
|– (…)processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller
|– (…) processing is necessary to protect the vital interests
|– (…) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation
|Art. 22 GDPR – Automated individual decision-making, including profiling
|The data subject shall have the right not to be subject to a decision based solely on automated processing (..) except it is based on the data subject’s explicit consent.
|LogSentinel SIEM can also gather and store safely such kinds of consents. There is a reporting option allowing the export of data related to consent, so such data subjects can easily be excluded by automated decision-making processes
Art. 49 GDPR – Derogations for specific situations
|– (…) the data subject has explicitly consented to the proposed transfer
LogSentinel SIEM keeps track of every business process vital for the organisation. In cases where there are derogations of specific situations as per GDPR, LogSentinel SIEM allows quick finding of the searched data by searching in encrypted records through the logs
|– (…) the transfer is necessary for the performance of a contract between the data subject and the controller
|– (…) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject
|– (…) the transfer is necessary for important reasons of public interest;
|– (…) the transfer is necessary for the establishment, exercise or defence of legal claims;
|-(…) the transfer is necessary in order to protect the vital interests of the data subject
|-(…) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest
Since GDPR came into force, we have helped many of our partners achieve compliance with no compromise. If you would like to learn how LogSentinel SIEM can help you easily cover all GDPR logging and data protection requirements, relieve audit, reporting and forensics, just book a demo:
Denitsa is a Digital Marketing Analyst at LogSentinel with strong interest in the field of Information Security. She has 5 years of valuable experience in the field of Digital Marketing and Public Relations. Denitsa holds a degree in Journalism from Birmingham City University and has passed various Digital Marketing masterclasses and courses.