Chuck Leaver – Understanding GDPR And Cyber Security Monitoring

Written By Dr Al Hartmann And Presented By Chuck Leaver


Robust enterprise cybersecurity naturally includes tracking of network, endpoint, application, database, and user activity to avert, spot, and react to cyber dangers that might breach personal privacy of enterprise staff, partners, providers, or customers. In cyber space, any obstructions to your view end up being totally free fire zones for the legions of attackers seeking to do harm. But tracking also captures event records that might include user “individual data” under the broad European Union GDPR interpretation of that term. Business staff are “natural individuals” and for this reason “data subjects” under the guideline. Wisely stabilizing security and privacy concerns across the business can be challenging – let’s talk about this.

The Requirement for Cybersecurity Tracking

GDPR Chapter 4 governs controller and processor roles under the guideline. While not clearly mandating cyber security monitoring, this can be presumed from its text:

-” … When it comes to a personal data breach, the controller shall without undue delay and, where practical, not more than seventy two hours after having become aware of it, inform the individual data breach to the supervisory authority …” [Art. 33( 1)]

-” … the controller and the processor will implement proper technical and organizational steps to make sure a level of security appropriate to the risk …” [Art. 32( 1)]

-” Each supervisory authority will have [the authority] to perform investigations through data security audits.” [Art. 58( 1)]

One can well reason that to discover a breach one has to monitor, or that to confirm and to scope a breach and provide timely breach notification to the supervisory authority that a person must also monitor, or that to execute appropriate technical steps that one need to monitor, or that to respond to a data security audit that one ought to have an audit path and that audit trails are produced by monitoring. In short, for an enterprise to protect its cyberspace and the personal data therein and verify its compliance, it reasonably needs to monitor that area.

The Enterprise as Data Controller

Under the GDPR it is the controller that “determines the functions and ways of the processing of individual data.” The business decides the functions and scope of tracking, picks the tools for such monitoring, identifies the probe, sensor, and agent releases for the tracking, picks the services or staff which will access and review the monitored data, and chooses the actions to take as a result. In short, the business serves in the controller function. The processor supports the controller by providing processing services on their behalf.

The enterprise also uses the personnel whose individual data may be included in any event records caught by tracking. Individual data is defined rather broadly under GDPR and may consist of login names, system names, network addresses, filepaths that consist of the user profile directory, or any other incidental details that could reasonably be linked to “a natural individual”. Event data will frequently consist of these elements. An event data stream from a specific probe, sensing unit, or agent could then be connected to an individual, and expose elements of that person’s work performance, policy compliance, and even elements of their individual lives (if business devices or networks are not used correctly for personal business). Although not the object of cybersecurity monitoring, prospective personal privacy or profiling concerns may be raised.

Achieving Clarity by means of Fair Processing Notices

As the enterprise employs the staff whose individual data might be captured in the cyber security tracking dragnet, they have the opportunity in employment contracts or in separate disclosures to notify staff of the need and function of cybersecurity tracking and acquire educated approval straight from the data topics. While it might be argued that the legal basis for cybersecurity monitoring does not necessarily require informed consent (per GDPR Art, 6( 1 )), but is a consequence of the data security level the business need to keep to otherwise comply with law, it is far preferable to be open and transparent with personnel. Employment agreements have long included such provisions specifying that staff members consent to have their office communications and devices kept track of, as a condition of work. However the GDPR raises the bar considerably for the specificity and clarity of such approvals, termed Fair Processing Notices, which have to be “freely given, specific, informed and unambiguous”.

Fair Processing Notifications need to plainly set out the identity of the data controller, the kinds of data gathered, the function and legal basis for this collection, the data topic rights, as well as contact info for the data controller and for the supervisory authority having jurisdiction. The notice has to be clear and quickly understood, and not buried in some prolonged legalistic employment contract. While many sample notices can be found with a simple web search, they will need adjustment to fit a cybersecurity monitoring context, where data subject rights may conflict with forensic data retention mandates. For instance, an insider assailant may demand the deletion of all their activity data (to ruin evidence), which would overturn personal privacy regulations into a tool for the obstruction of justice. For other guidance, the extensively utilized NIST Cyber Security Framework addresses this balance in Sec. 3.6 (” Method to Secure Personal Privacy and Civil Liberties”).

Think Worldwide, Act Locally

Given the viral jurisdictional nature of the GDPR, the oppressive charges imposed upon violators, the difficult characteristics of filtering out EEA from non-EEA data subjects, and the most likely spread of comparable guidelines globally – the safe course is to apply stringent personal privacy policies across the board, as Microsoft has done.

In contrast to international application stands local implementation, where the safe course is to put cybersecurity tracking infrastructure in geographical locales, instead of to come to grips with trans border data transfers. Even remotely querying and having sight of personal data may count as such a transfer and argue for pseudonymization (tokenizing individual data fields) or anonymization (editing personal data fields) across non-cooperating jurisdictional boundaries. Only in the last stages of cybersecurity analytics would natural person identification of data subjects become appropriate, and then most likely just be of actionable worth in your area.


No Responses Yet to “Chuck Leaver – Understanding GDPR And Cyber Security Monitoring”

Leave a Reply