Written By Dr Al Hartmann And Presented By Charles Leaver
Robust enterprise cybersecurity naturally consists of monitoring of network, endpoint, application, database, and user activity to avert, detect, and respond to cyber risks that could breach personal privacy of business staff, partners, providers, or customers. In cyberspace, any obstructions to your view end up being totally free fire zones for the legions of hackers seeking to do harm. However tracking also captures event records that might include user “personal data” under the broad European Union GDPR analysis of that term. Business staff are “natural persons” and thus “data subjects” under the policy. Prudently balancing security and personal privacy concerns throughout the business can be challenging – let’s talk about this.
The Mandate for Cyber Security Tracking
GDPR Chapter 4 governs controller and processor functions under the guideline. While not explicitly mandating cybersecurity monitoring, this can be presumed from its text:
-” … When it comes to an individual data breach, the controller shall without undue delay and, where feasible, not more than seventy two hours after having become aware of it, inform the personal data breach to the supervisory authority …” [Art. 33( 1)]
-” … the controller and the processor shall implement suitable technical and organizational measures to guarantee a level of security appropriate to the risk …” [Art. 32( 1)]
-” Each supervisory authority will have [the power] to perform examinations through data protection audits.” [Art. 58( 1)]
It can be reasoned that to spot a breach one needs to monitor, or that to verify and to scope a breach and offer timely breach alerting to the supervisory authority that one should likewise monitor, or that to carry out suitable technical measures that a person must monitor, or that to react to a data defense audit that a person need to have an audit trail which audit trails are produced by monitoring. In short, for a business to protect its cyberspace and the individual data therein and validate its compliance, it reasonably needs to monitor that area.
The Business as Data Controller
Under the GDPR it is the controller that “figures out the purposes and methods of the processing of personal data.” The enterprise decides the purposes and scope of monitoring, picks the tools for such monitoring, identifies the probe, sensing, and agent deployments for the monitoring, picks the solutions or personnel which will access and review the monitored data, and decides the actions to be taken as a result. Simply put, the business serves in the controller role. The processor supports the controller by supplying processing services on their behalf.
The business also utilizes the personnel whose personal data might be included in the event records recorded by tracking. Personal data is defined rather broadly under GDPR and might include login names, system names, network addresses, filepaths that consist of the user profile directory site, or other incidental info that could reasonably be linked to “a natural individual”. Event data will often include these elements. An event data stream from a particular probe, sensing unit, or agent might then be linked to an individual, and expose aspects of that person’s work performance, policy compliance, or perhaps elements of their individual lives (if enterprise devices or networks are incorrectly used for personal business). Although not the goal of cyber security monitoring, prospective privacy or profiling issues could be raised.
Attaining Transparency through Fair Processing Notices
As the enterprise utilizes the staff whose personal data may be captured in the cybersecurity monitoring dragnet, they have the opportunity in employment contracts or in separate disclosures to notify staff of the need and function of cybersecurity tracking and get informed permission directly from the data topics. While it might be argued that the lawful basis for cybersecurity monitoring does not necessarily demand informed consent (per GDPR Art, 6( 1 )), but is a consequence of the data security level the enterprise has to keep to otherwise comply with law, it is far preferable to be open and transparent with staff. Employment contracts have actually long consisted of such arrangements specifying that staff members consent to have their office interactions and devices monitored, as a condition of work. However the GDPR raises the bar considerably for the explicitness and clarity of such approvals, described Fair Processing Notices, which need to be “freely offered, specific, informed and unambiguous”.
Fair Processing Notifications should plainly lay out the identity of the data controller, the types of data collected, the purpose and legal basis for this collection, the data subject rights, in addition to contact information for the data controller and for the supervisory authority having jurisdiction. The notice should be clear and quickly comprehended, and not buried in some lengthy legalistic employment agreement. While numerous sample notices can be found with a simple web search, they will require adaptation to fit a cybersecurity tracking context, where data subject rights might contravene forensic data retention requirements. For example, an insider hacker might demand the removal of all their activity data (to ruin proof), which would overturn personal privacy guidelines into a tool for the obstruction of justice. For other assistance, the widely utilized NIST Cyber Security Framework addresses this balance in Sec. 3.6 (” Methodology to Secure Privacy and Civil Liberties”).
Think Globally, Act In Your Area
Given the viral jurisdictional nature of the GDPR, the extreme penalties imposed upon violators, the difficult characteristics of filtering out EEA from non-EEA data subjects, and the likely spread of similar policies internationally – the safe path is to apply stringent personal privacy guidelines across the board, as Microsoft has actually done.
In contrast to worldwide application stands regional application, where the safe course is to put cybersecurity tracking infrastructure in geographical locales, instead of to come to grips with trans border data transfers. Even remotely querying and having sight of personal data may count as such a transfer and argue for pseudonymization (tokenizing individual data fields) or anonymization (editing individual data fields) across non-cooperating jurisdictional boundaries. Only in the final stages of cybersecurity analytics would natural person identification of data subjects become appropriate, then most likely only be of actionable value in your area.