Written By Dr Al Hartmann And Presented By Charles Leaver
Robust business cybersecurity naturally consists of monitoring of network, end point, application, database, and user activity to prevent, identify, and respond to cyber dangers that could breach privacy of business staff, partners, suppliers, or clients. In cyber space, any blind spots become totally free fire zones for the legions of hackers looking to do damage. But tracking likewise captures event records that may consist of user “personal data” under the broad European Union GDPR analysis of that term. Enterprise personnel are “natural individuals” and hence “data subjects” under the guideline. Prudently balancing security and personal privacy issues throughout the business can be tough – let’s go over this.
The Mandate for Cyber Security Monitoring
GDPR Chapter 4 governs controller and processor roles under the regulation. While not clearly mandating cybersecurity tracking, this can be inferred from its text:
-” … When it comes to an individual data breach, the controller will without unnecessary delay and, where practical, not later than seventy two hours after having actually become aware of it, notify the individual data breach to the supervisory authority …” [Art. 33( 1)]
-” … the controller and the processor shall execute suitable technical and organizational steps to make sure a level of security appropriate to the danger …” [Art. 32( 1)]
-” Each supervisory authority shall have [the power] to carry out investigations in the form of data defense audits.” [Art. 58( 1)]
One can well reason that to find a breach one must monitor, or that to verify and to scope a breach and provide timely breach notice to the supervisory authority that one must also monitor, or that to carry out proper technical procedures that a person need to monitor, or that to react to a data security audit that one should have an audit path which audit paths are produced by monitoring. Simply put, for an enterprise to safeguard its cyber space and the individual data therein and validate its compliance, it reasonably must monitor that space.
The Enterprise as Controller of Data
Under the GDPR it is the controller that “figures out the purposes and means of the processing of personal data.” The business decides the purposes and scope of monitoring, selects the tools for such monitoring, determines the probe, sensor, and agent releases for the tracking, picks the services or personnel which will access and evaluate the monitored data, and chooses the actions to take as a result. In other words, the enterprise serves in the controller function. The processor supports the controller by providing processing services on their behalf.
The business also employs the staff whose personal data may be included in any event records recorded by monitoring. Personal data is specified rather broadly under GDPR and may consist of login names, system names, network addresses, filepaths that consist of the user profile directory site, or any other incidental information that might fairly be connected to “a natural individual”. Event data will frequently include these aspects. An event data stream from a specific probe, sensor, or agent might then be connected to an individual, and expose aspects of that person’s work efficiency, policy compliance, or even elements of their individual lives (if enterprise devices or networks are not used correctly for private business). Although not the object of cybersecurity tracking, prospective privacy or profiling concerns may be raised.
Accomplishing Clarity through Fair Processing Notices
As the enterprise employs the staff whose personal data might be captured in the cybersecurity tracking dragnet, they have the opportunity in employment agreements or in separate disclosures to inform staff of the requirement and function of cyber security tracking and get educated approval straight from the data topics. While it might be argued that the legal basis for cybersecurity monitoring does not necessarily demand informed approval (per GDPR Art, 6( 1 )), but is a consequence of the data security level the business must preserve to otherwise abide by law, it is far more preffered to be transparent and open with staff. Employment agreements have actually long included such provisions defining that workers consent to have their office interactions and devices monitored, as a condition of work. However the GDPR raises the bar substantially for the specificity and clarity of such permissions, termed Fair Processing Notices, which need to be “freely given, specific, informed and unambiguous”.
Fair Processing Notifications must clearly lay out the identity of the data controller, the kinds of data collected, the function and lawful basis for this collection, the data subject rights, in addition to contact info for the data controller and for the supervisory authority having jurisdiction. The notification needs to be clear and easily comprehended, and not buried in some prolonged legalistic employment contract. While numerous sample notifications can be discovered with a simple web search, they will need adaptation to fit a cyber security monitoring context, where data subject rights might conflict with forensic data retention mandates. For example, an insider hacker may demand the deletion of all their activity data (to ruin proof), which would overturn personal privacy regulations into a tool for the obstruction of justice. For other guidance, the widely used NIST Cyber Security Framework addresses this balance in Sec. 3.6 (” Method to Safeguard Personal Privacy and Civil Liberties”).
Think Worldwide, Act In Your Area
Given the viral jurisdictional nature of the GDPR, the severe charges imposed upon lawbreakers, the tough dynamics of tweezing out EEA from non-EEA data subjects, and the likely spread of comparable policies globally – the safe course is to apply rigid personal privacy regulations across the board, as Microsoft has done.
In contrast to global application stands regional application, where the safe course is to position cybersecurity tracking infrastructure in geographic areas, rather than to face trans border data transfers. Even remote querying and viewing personal data may count as such a transfer and argue for pseudonymization (tokenizing individual data fields) or anonymization (redacting individual data fields) throughout non-cooperating jurisdictional borders. Just in the last stages of cyber security analytics would natural person identification of data subjects end up being pertinent, and then most likely only be of actionable value in your area.