Written By Dr Al Hartmann And Presented By Charles Leaver
Robust enterprise cybersecurity naturally consists of monitoring of network, end point, application, database, and user activity to avoid, detect, and respond to cyber dangers that could breach personal privacy of enterprise staff, partners, suppliers, or clients. In cyberspace, any obstructions to your view end up being totally free fire zones for the legions of opponents seeking to do harm. But tracking likewise catches event records that may include user “individual data” under the broad European Union GDPR interpretation of that term. Enterprise personnel are “natural individuals” and for this reason “data subjects” under the regulation. Prudently balancing security and privacy issues throughout the business can be difficult – let’s discuss.
The Requirement for Cyber Security Tracking
GDPR Chapter 4 governs controller and processor functions under the policy. While not clearly mandating cybersecurity monitoring, this can be presumed from its text:
-” … When it comes to an individual data breach, the controller shall without unnecessary hold-up and, where possible, not more than 72 hours after having actually become aware of it, alert the personal data breach to the supervisory authority …” [Art. 33( 1)]
-” … the controller and the processor will execute suitable technical and organizational procedures to ensure a level of security appropriate to the risk …” [Art. 32( 1)]
-” Each supervisory authority will have [the power] to perform investigations in the form of data security audits.” [Art. 58( 1)]
It can be reasoned that to detect a breach one must monitor, or that to verify and to scope a breach and supply timely breach alerting to the supervisory authority that one need to likewise monitor, or that to carry out suitable technical measures that one need to monitor, or that to react to a data protection audit that a person need to have an audit path and that audit paths are produced by tracking. Simply put, for a business to safeguard its cyberspace and the personal data therein and confirm its compliance, it reasonably needs to monitor that area.
The Enterprise as Controller of Data
Under the GDPR it is the controller that “figures out the functions and ways of the processing of personal data.” The business decides the functions and scope of tracking, picks the tools for such monitoring, determines the probe, sensor, and agent deployments for the tracking, selects the solutions or personnel which will access and examine the monitored data, and decides the actions to be taken as a result. In short, the business serves in the controller role. The processor provides support to the controller by providing processing services on their behalf.
The enterprise also uses the staff whose individual data might be included in the event records caught by monitoring. Personal data is specified quite broadly under GDPR and may include login names, system names, network addresses, filepaths that include the user profile directory site, or any other incidental info that could fairly be connected to “a natural person”. Event data will frequently include these elements. An event data stream from a specific probe, sensing unit, or agent might then be linked to an individual, and expose aspects of that person’s work efficiency, policy compliance, or perhaps aspects of their personal lives (if enterprise devices or networks are not used correctly for private business). Although not the aim of cybersecurity tracking, potential personal privacy or profiling concerns could be raised.
Attaining Clarity via Fair Processing Notices
As the business employs the staff whose personal data might be caught in the cybersecurity monitoring dragnet, they have the opportunity in employment agreements or in different disclosures to inform personnel of the need and purpose of cyber security monitoring and acquire educated authorization directly from the data topics. While it might be argued that the lawful basis for cybersecurity tracking does not always require informed consent (per GDPR Art, 6( 1 )), however is a consequence of the data security level the enterprise need to keep to otherwise comply with law, it is far more preffered to be open and transparent with personnel. Employment contracts have actually long contained such arrangements specifying that workers consent to have their work environment interactions and devices kept track of, as a condition of work. But the GDPR raises the bar significantly for the specificity and clarity of such permissions, termed Fair Processing Notices, which must be “freely provided, specific, informed and unambiguous”.
Fair Processing Notifications should clearly set out the identity of the data controller, the types of data collected, the function and legal basis for this collection, the data subject rights, along with contact info for the data controller and for the supervisory authority having jurisdiction. The notification must be clear and quickly understood, and not buried in some prolonged legalistic employment agreement. While various sample notifications can be discovered with a simple web search, they will require adaptation to fit a cyber security tracking context, where data subject rights may contravene forensic data retention requirements. For example, an insider assailant may demand the deletion of all their activity data (to destroy evidence), which would overturn privacy guidelines into a tool for the obstruction of justice. For other guidance, the widely used NIST Cyber Security Framework addresses this balance in Sec. 3.6 (” Method to Protect Privacy and Civil Liberties”).
Think Internationally, Act In Your Area
with the viral jurisdictional nature of the GDPR, the exorbitant penalties imposed upon lawbreakers, the challenging dynamics of tweezing out EEA from non-EEA data subjects, and the most likely spread of comparable regulations worldwide – the safe path is to apply stringent privacy guidelines across the board, as Microsoft has done.
In contrast to global application stands local application, where the safe path is to position cybersecurity tracking infrastructure in geographical areas, rather than to face trans-border data transfers. Even remotely querying and having sight of individual data may count as such a transfer and argue for pseudonymization (tokenizing personal data fields) or anonymization (editing individual data fields) across non-cooperating jurisdictional boundaries. Only in the last stages of cybersecurity analytics would natural person recognition of data subjects end up being appropriate, and after that likely just be of actionable worth in your area.