Written By Dr Al Hartmann And Presented By Chuck Leaver
Robust enterprise cybersecurity naturally includes monitoring of network, end point, application, database, and user activity to prevent, detect, and respond to cyber dangers that could breach privacy of business staff, partners, providers, or customers. In cyberspace, any blind spots end up being complimentary fire zones for the legions of assailants looking to do harm. However monitoring also captures event records that may include user “personal data” under the broad European Union GDPR analysis of that term. Business staff are “natural persons” and for this reason “data subjects” under the policy. Wisely stabilizing security and personal privacy issues throughout the business can be tough – let’s talk about this.
The Requirement for Cyber Security Tracking
GDPR Chapter 4 governs controller and processor functions under the policy. While not clearly mandating cyber security tracking, this can be inferred from its text:
-” … When it comes to an individual data breach, the controller shall without excessive delay and, where feasible, not more than 72 hours after having become aware of it, alert the individual data breach to the supervisory authority …” [Art. 33( 1)]
-” … the controller and the processor shall execute suitable technical and organizational measures to guarantee a level of security appropriate to the risk …” [Art. 32( 1)]
-” Each supervisory authority will have [the power] to perform examinations through data defense audits.” [Art. 58( 1)]
One can well reason that to find a breach one has to monitor, or that to validate and to scope a breach and provide timely breach alerting to the supervisory authority that a person should also monitor, or that to carry out suitable technical steps that one has to monitor, or that to respond to a data security audit that one should have an audit path which audit paths are produced by tracking. In short, for a business to secure its cyber space and the individual data therein and verify its compliance, it reasonably must monitor that area.
The Enterprise as Controller of Data
Under the GDPR it is the controller that “identifies the purposes and means of the processing of personal data.” The business chooses the purposes and scope of monitoring, picks the tools for such tracking, figures out the probe, sensor, and agent deployments for the tracking, chooses the services or personnel which will access and evaluate the monitored data, and decides the actions to take as a result. In short, the enterprise serves in the controller role. The processor provides support to the controller by providing processing services on their behalf.
The enterprise also utilizes the personnel whose individual data may be included in the event records caught by tracking. Individual data is defined rather broadly under GDPR and might consist of login names, system names, network addresses, filepaths that include the user profile directory site, or any other incidental information that might reasonably be connected to “a natural person”. Event data will frequently include these aspects. An event data stream from a specific probe, sensing unit, or agent might then be linked to a person, and expose aspects of that person’s work performance, policy compliance, and even aspects of their individual lives (if business devices or networks are not used correctly for personal business). Although not the goal of cybersecurity tracking, prospective personal privacy or profiling concerns could be raised.
Achieving Transparency by means of Fair Processing Notices
As the enterprise employs the staff whose individual data may be captured in the cyber security monitoring dragnet, they have the opportunity in employment agreements or in different disclosures to inform personnel of the need and function of cyber security tracking and obtain educated approval directly from the data subjects. While it might be argued that the legal basis for cybersecurity monitoring does not always require informed consent (per GDPR Art, 6( 1 )), but is a consequence of the data security level the business has to maintain to otherwise comply with law, it is far more preffered to be open and transparent with personnel. Employment agreements have actually long consisted of such provisions specifying that staff members consent to have their work environment communications and devices kept track of, as a condition of work. But the GDPR raises the bar considerably for the specificity and clearness of such authorizations, called Fair Processing Notices, which have to be “freely offered, explicit, informed and unambiguous”.
Fair Processing Notices have to plainly lay out the identity of the data controller, the types of data gathered, the purpose and lawful basis for this collection, the data subject rights, in addition to contact info for the data controller and for the supervisory authority having jurisdiction. The notification has to be clear and easily understood, and not buried in some prolonged legalistic employment contract. While numerous sample notifications can be found with an easy web search, they will need adaptation to fit a cyber security monitoring context, where data subject rights may contravene forensic data retention requirements. For instance, an insider enemy might require the deletion of all their activity data (to ruin evidence), which would subvert personal privacy policies into a tool for the obstruction of justice. For other assistance, the widely employed NIST Cybersecurity Framework addresses this balance in Sec. 3.6 (” Methodology to Safeguard Privacy and Civil Liberties”).
Think Globally, Act In Your Area
Given the viral jurisdictional nature of the GDPR, the draconian charges imposed upon lawbreakers, the challenging dynamics of filtering out EEA from non-EEA data subjects, and the likely spread of similar guidelines internationally – the safe path is to use stringent personal privacy guidelines across the board, as Microsoft has actually done.
In contrast to global application stands local application, where the safe path is to position cybersecurity tracking infrastructure in geographical locales, instead of to come to grips with trans-border data transfers. Even remote querying and having sight of personal data may count as such a transfer and argue for pseudonymization (tokenizing individual data fields) or anonymization (redacting personal data fields) throughout non-cooperating jurisdictional borders. Just in the last stages of cyber security analytics would natural individual recognition of data subjects become relevant, and after that most likely just be of actionable worth locally.