Written By Dr Al Hartmann And Presented By Chuck Leaver
Robust enterprise cybersecurity naturally consists of monitoring of network, endpoint, application, database, and user activity to avert, spot, and respond to cyber hazards that might breach personal privacy of business personnel, partners, providers, or clients. In cyber space, any blind spots end up being free fire zones for the legions of attackers seeking to do damage. However monitoring also catches event records that might consist of user “personal data” under the broad European Union GDPR interpretation of that term. Enterprise personnel are “natural persons” and hence “data subjects” under the guideline. Wisely stabilizing security and privacy concerns throughout the enterprise can be tough – let’s talk about this.
The Requirement for Cybersecurity Monitoring
GDPR Chapter 4 governs controller and processor roles under the policy. While not explicitly mandating cybersecurity tracking, this can be inferred from its text:
-” … In the case of an individual data breach, the controller will without excessive delay and, where feasible, not later than seventy two hours after having become aware of it, alert the personal data breach to the supervisory authority …” [Art. 33( 1)]
-” … the controller and the processor will carry out appropriate technical and organizational measures to make sure a level of security appropriate to the risk …” [Art. 32( 1)]
-” Each supervisory authority shall have [the power] to carry out examinations through data protection audits.” [Art. 58( 1)]
One can well reason that to detect a breach one must monitor, or that to validate and to scope a breach and provide prompt breach notice to the supervisory authority that a person need to also monitor, or that to implement suitable technical steps that a person need to monitor, or that to respond to a data defense audit that one ought to have an audit trail and that audit paths are produced by tracking. In short, for a business to secure its cyber space and the personal data therein and validate its compliance, it reasonably has to monitor that area.
The Enterprise as Data Controller
Under the GDPR it is the controller that “figures out the purposes and ways of the processing of individual data.” The business decides the purposes and scope of monitoring, chooses the tools for such tracking, figures out the probe, sensing, and agent releases for the tracking, picks the services or staff which will access and review the monitored data, and chooses the actions to take as a result. In other words, the business serves in the controller function. The processor provides support to the controller by providing processing services on their behalf.
The enterprise also utilizes the personnel whose individual data might be included in any event records caught by monitoring. Personal data is defined quite broadly under GDPR and may include login names, system names, network addresses, filepaths that consist of the user profile directory, or any other incidental info that could reasonably be linked to “a natural person”. Event data will frequently include these components. An event data stream from a particular probe, sensor, or agent could then be linked to a person, and reveal aspects of that person’s work efficiency, policy compliance, or perhaps aspects of their individual lives (if enterprise devices or networks are misemployed for personal business). Although not the goal of cybersecurity tracking, potential personal privacy or profiling concerns could be raised.
Achieving Clarity through Fair Processing Notices
As the enterprise employs the personnel whose individual data might be caught in the cybersecurity tracking dragnet, they have the chance in employment agreements or in separate disclosures to inform staff of the need and purpose of cybersecurity tracking and get educated authorization directly from the data subjects. While it might be argued that the lawful basis for cybersecurity tracking does not necessarily demand informed consent (per GDPR Art, 6( 1 )), however is a consequence of the data security level the enterprise must keep to otherwise adhere to law, it is far preferable to be transparent and open with staff. Employment contracts have actually long contained such arrangements specifying that workers consent to have their work environment interactions and devices kept track of, as a condition of work. However the GDPR raises the bar considerably for the specificity and clarity of such consents, called Fair Processing Notices, which need to be “freely provided, specific, informed and unambiguous”.
Fair Processing Notifications need to clearly set out the identity of the data controller, the types of data collected, the function and legal basis for this collection, the data topic rights, as well as contact details for the data controller and for the supervisory authority having jurisdiction. The notification needs to be clear and easily understood, and not buried in some lengthy legalistic employment contract. While various sample notifications can be found with a basic web search, they will require adaptation to fit a cyber security tracking context, where data subject rights might conflict with forensic data retention mandates. For example, an insider hacker may demand the deletion of all their activity data (to damage proof), which would subvert privacy regulations into a tool for the obstruction of justice. For other guidance, the widely employed NIST Cybersecurity Framework addresses this balance in Sec. 3.6 (” Method to Protect Privacy and Civil Liberties”).
Think Worldwide, Act Locally
Given the viral jurisdictional nature of the GDPR, the draconian penalties imposed upon violators, the challenging characteristics of tweezing out EEA from non-EEA data subjects, and the most likely spread of similar regulations globally – the safe course is to use strict personal privacy regulations across the board, as Microsoft has actually done.
In contrast to worldwide application stands regional execution, where the safe path is to position cybersecurity monitoring infrastructure in geographic locales, instead of to grapple with trans border data transfers. Even remote querying and having sight of individual data may count as such a transfer and argue for pseudonymization (tokenizing individual data fields) or anonymization (redacting individual data fields) across non cooperative jurisdictional borders. Just in the last stages of cyber security analytics would natural person identification of data subjects end up being appropriate, then likely only be of actionable value in your area.