It’s been almost two years since GDPR came into force. During this period, many huge companies were under the hackers’ radar and they suffered from losing both reputation and financial assets.
Companies like British Airways, Marriott, and Google were in the spotlight because they failed to apply the technological measures necessary to protect personal data. This caused a major loss of public trust and huge figures in financial loss.
Top Reasons For Companies to be Fined: The Alarming Trends
According to Enforcementtracker.com – a website tracking fines that went into effect across all EU countries’ authorities, the top violation reason for a company to get fined is “Insufficient technical and organizational measures to ensure information security”.
This means that most of the companies neglected their information security measures. The concerning aspect is that big companies such as British Airways, fail to ensure high security of their passengers’ personal data, causing a significant drop in their assets.
Another core reason was Insufficient legal basis for data processing. And while in some cases this would be caused simply because the companies do not believe they would be fined, in others the legal basis would simply be considered insufficient, for instance, the consent could have never been recorded. To ensure sufficient digital evidence, companies should ensure they keep an immutable record of every consent given and withdrawn, as evidence for future references.
Non-compliance with general data processing principles is the third most usual reason for a company to be fined for not complying with GDPR by the authorities. It is more common and can be addressed with different aspects of personal data processing. This, however, means that a decent amount of organizations still don’t apply some of the core principles to GDPR.
How Can LogSentinel Help Your Company Achieve a Higher Level of Compliance?
LogSentinel’s information security solutions help companies achieve higher levels of regulatory compliance by protecting every single piece of data from insider and outsider breach attempts. Furthermore, our security solutions have built-in auditors modules so they become extremely useful for every internal, external auditor, DPO and compliance officer.
Insufficient technical and organizational measures to ensure information security
SentinelTrails, LogSentinel’s secure audit trail solution, ensures data integrity across all your systems, protecting every single log of evidence thanks to the advanced blockchain technology used. SentinelTrails provides a centralized command center to your risk, compliance, or security teams, giving full observability across all systems and users, ensuring total protection from data tampering from insiders.
Furthermore, SentinelTrails’ AI-driven fraud and anomaly detection module send immediate notifications when any unusual activity is being detected – from trivial cases such as suspicious logging in outside the working hours, through too many failed login attempts, to sophisticated and hard-to-catch suspicious activities related to a given user’s anomaly behavior.
SentinelTrails gives you full control over all processes concerning personal data, providing a detailed overview of everything that happens within your systems in real-time.
And while SentinelTrails keeps you updated on every anomaly activity that happens in your systems, SentinelDB arms you with a bullet-proof database, guarding every single piece of data with advanced, per-record encryption. SentinelDB is a secure, NoSQL database that uses AI and blockchain technology to deliver you undisputable “Privacy-by-Design”. SentinelDB ensures that sensitive data cannot be compromised by no means. SentinelDB supports SentinelTrails secure audit trail to deliver the best quality of data storage.
GDPR: Applying Sufficient Technical and Organisational Measures to Ensure Information Security, Using LogSentinel's Solutions
GDPR Coverage / Solution | Data Integrity | Records of Processing Activities | Data Deletion Records | Fraud and Anomaly Detection | Real-time incident notification sending | Digital Forensics | Advanced Encryption | User Access Monitoring | Data correlation between logs and activities | Evidence of Consent Given | Privacy by Design | |
SentinelTrails | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
|
SentinelDB |
|
|
| ✓ |
|
|
| ✓ |
|
|
| ✓ |
Insufficient legal basis for data processing
In terms of ensuring the legal basis for data processing for every single instance, companies need to keep very clear communication between their legal and compliance teams. Having too many processes and too many departments processing personal data increases the likelihood of poor supervision on a legal basis for data processing.
That’s why we from LogSentinel advise our clients to use the detailed processing activities reporting available in their account. Having a report with data correlation between logs and activities will cut the manual efforts of your auditors. They can easily revise every single process concerning personal data, and how is this data being used, matching it with the legal basis for every one of them. This information would be highly valuable for the legal team as well, as this way they can easily get a full overview of the processing activities and the corresponding legal basis.
GDPR: Ensuring Sufficient Legal Basis for Data Processing, Using LogSentinel
GDPR Coverage / Solution | Keeping a record of processing activities | Keeping digital evidence of every consent given | Cross-matching consent, real-time activities, processing details, and legal basis | Real-time reporting of processing activities | Scheduled reporting of processing activities | Auditors’ (read-only) access to processing activities |
SentinelTrails | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Non-compliance with general data processing principles
Article 5 of the GDPR sets out seven key principles that lie at the heart of the general data protection regime. It’s important to follow them, however, not having a centralized place where all data protection-related processes are being recorded, aggregated and analyzed would mean tons of work for your compliance officers. We believe that the key to successful compliance with these principles lays in keeping evidence of every single GDPR-related action. We know how hard the job of a data protection officer is, and for this reason, we prepared a list of activities that our solution automates in order to make their trackability possible.
GDPR: Achieving Compliance with General Data Processing Principles, Using LogSentinel
| GDPR Principle | How LogSentinel helps you cover it |
| Lawfulness, fairness, and transparency | SentinelTrails enables you to export reports to your legal team, visualizing all the processing activities, and mapping them with the actual processes within the organization. This helps your legal team to provide more accurate advice to your company, reducing the risks of leaving unlawful practices unnoticed |
| Purpose limitation | Every processing activity is recorded in SentinelTrails’ GDPR tool with its corresponding purpose. This way your auditing team spends less time in manual checks |
| Data minimization | With GDPR coming to force, revising purposes for using personal data is becoming a routine procedure. With SentinelTrails, you prepare business analysis reports, visualizing which teams use what type of data, and based on the reports, minimize the used and required |
| Storage limitation / Retention | With SentinelDB, you set up data deletion periods and ensure you do not store data more than needed |
| Integrity and confidentiality (security) | SentinelTrails ensure full data integrity across all systems, thanks to the blockchain-protected, immutable audit trail. |
| Accountability | The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance. With SentinelTrails, you easily demonstrate the measures taken in terms of data protection, by pulling a report with all corresponding activities regarding this matter. |
Conclusion
It’s been nearly 2 years since the GDPR came into force. Many big companies realized that simply having a DPO is not going to solve their problems with guarding personal data because this should be a team activity between all departments involved. Otherwise, the job of the DPO/Compliance Officer will be an endless nightmare, involving tons of manual checks, and struggles in finding evidence. We at LogSentinel believe that we can reduce the stressful job by reducing the data breach risk, and automating a lot of manual work concerning data protection routines.
Talk to us today and see how LogSentinel helps companies achieve high information security and undisputable compliance.
Denitsa Stefanova is a Senior IT Business Analyst with solid experience in Marketing and Data Analytics. She is involved in IT projects related to marketing and data analytics software improvements, as well as the development of effective methods for fraud and data breach prevention. Denitsa supports her IT-related experience by applying her skills into her everyday duties, including IT and quality auditing, detecting IT vulnerabilities, and GDPR-related gaps.
