Chuck Leaver – Making Sense Of GDPR And Monitoring Cybersecurity

Written By Dr Al Hartmann And Presented By Chuck Leaver

 

Robust enterprise cybersecurity naturally includes monitoring of network, endpoint, application, database, and user activity to prevent, identify, and react to cyber risks that might breach personal privacy of business staff, partners, suppliers, or clients. In cyber space, any blind spots become free fire zones for the legions of attackers looking to do damage. However tracking likewise catches event records that may consist of user “individual data” under the broad European Union GDPR analysis of that term. Business personnel are “natural persons” and thus “data subjects” under the guideline. Wisely stabilizing security and personal privacy concerns across the business can be tough – let’s go over this.

The Mandate for Cybersecurity Tracking

GDPR Chapter 4 governs controller and processor roles under the policy. While not clearly mandating cybersecurity tracking, this can be presumed from its text:

-” … When it comes to a personal data breach, the controller will without unnecessary delay and, where practical, not later than 72 hours after having actually become aware of it, alert the individual data breach to the supervisory authority …” [Art. 33( 1)]

-” … the controller and the processor will execute proper technical and organizational steps to ensure a level of security appropriate to the threat …” [Art. 32( 1)]

-” Each supervisory authority will have [the power] to perform examinations in the form of data defense audits.” [Art. 58( 1)]

One can well reason that to detect a breach one must monitor, or that to verify and to scope a breach and supply timely breach alerting to the supervisory authority that a person must also monitor, or that to implement proper technical procedures that one need to monitor, or that to respond to a data defense audit that a person should have an audit path and that audit paths are produced by monitoring. In short, for a business to protect its cyber space and the personal data therein and verify its compliance, it reasonably needs to monitor that space.

The Enterprise as Controller of Data

Under the GDPR it is the controller that “determines the functions and methods of the processing of individual data.” The business chooses the functions and scope of tracking, picks the tools for such tracking, figures out the probe, sensing, and agent releases for the tracking, chooses the services or personnel which will access and evaluate the monitored data, and decides the actions to take as a result. Simply put, the business serves in the controller function. The processor provides support to the controller by providing processing services on their behalf.

The enterprise likewise employs the staff whose personal data may be included in any event records caught by tracking. Personal data is defined quite broadly under GDPR and may include login names, system names, network addresses, filepaths that include the user profile directory site, or other incidental information that might fairly be connected to “a natural person”. Event data will typically include these aspects. An event data stream from a specific probe, sensing unit, or agent might then be linked to a person, and reveal aspects of that person’s work performance, policy compliance, and even elements of their personal lives (if business devices or networks are misemployed for personal business). Although not the object of cybersecurity tracking, prospective privacy or profiling issues could be raised.

Achieving Transparency via Fair Processing Notices

As the business utilizes the staff whose individual data may be captured in the cybersecurity monitoring dragnet, they have the chance in employment agreements or in different disclosures to notify personnel of the need and purpose of cybersecurity monitoring and obtain informed consent directly from the data subjects. While it might be argued that the legal basis for cybersecurity tracking does not always require informed approval (per GDPR Art, 6( 1 )), but is a consequence of the data security level the business need to maintain to otherwise abide by law, it is far more preffered to be open and transparent with personnel. Employment contracts have long consisted of such arrangements defining that workers grant permission to have their work environment communications and devices monitored, as a condition of employment. But the GDPR raises the bar considerably for the explicitness and clarity of such permissions, termed Fair Processing Notices, which must be “freely offered, explicit, informed and unambiguous”.

Fair Processing Notifications must plainly lay out the identity of the data controller, the kinds of data collected, the purpose and legal basis for this collection, the data subject rights, along with contact information for the data controller and for the supervisory authority having jurisdiction. The notification must be clear and easily comprehended, and not buried in some lengthy legalistic employment contract. While various sample notifications can be discovered with an easy web search, they will require adjustment to fit a cyber security monitoring context, where data subject rights might conflict with forensic data retention mandates. For instance, an insider attacker might require the removal of all their activity data (to ruin proof), which would subvert personal privacy regulations into a tool for the obstruction of justice. For other assistance, the extensively used NIST Cybersecurity Framework addresses this balance in Sec. 3.6 (” Method to Safeguard Privacy and Civil Liberties”).

Visualize Globally, Act In Your Area

Given the viral jurisdictional nature of the GDPR, the heavy-handed penalties imposed upon lawbreakers, the difficult characteristics of filtering out EEA from non-EEA data subjects, and the most likely spread of similar guidelines internationally – the safe course is to use rigid privacy policies across the board, as Microsoft has done.

In contrast to global application stands regional implementation, where the safe path is to position cybersecurity monitoring infrastructure in geographic places, instead of to grapple with trans-border data transfers. Even remote querying and viewing individual data might count as such a transfer and argue for pseudonymization (tokenizing personal data fields) or anonymization (redacting individual data fields) across non-cooperating jurisdictional boundaries. Only in the final stages of cyber security analytics would natural individual recognition of data subjects end up being appropriate, and then likely just be of actionable worth in your area.