The contents of this article are intended to convey general information only and not to provide legal advice or opinions. The contents of this article should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or situation. The information presented in this article may not reflect the most current legal developments. No action should be taken in reliance on the information contained in this article and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this article to the fullest extent permitted by law. Teramind would advise consultation with legal counsel or an attorney for advice and legal opinion on specific legal issues.
Since the introduction of GDPR in May 2018, companies using or planning to use employee monitoring and data loss prevention software are having legitimate concerns regarding data privacy regulations and how it might impact them. They are asking legitimate questions such as: is employee monitoring software legal under GDPR? Or, there are so many requirements under GDPR (99 articles to be exact), how can I be sure that I am not accidentally breaking any laws by using data loss prevention software? We take these questions seriously.
Teramind has a large customer base in the European Union. Even many of our non-EU customers deal with EU citizens’ data. Teramind itself has many team members working from Germany, UK, France etc. So, we decided to create this short article that will hopefully answer some of critical questions you have about GDPR. We also wanted to be transparent about how user privacy right is addressed in our key offerings: Teramind User Activity Monitoring (UAM) and Teramind Data Loss Prevention (DLP) solutions. Finally, we will share some tips on how you can use Teramind products properly to satisfy GDPR compliance.
In essence, user activity monitoring or data loss prevention under GDPR is not a technology battle. It has more to do with your data governance policy and business administration. Even if you choose not to use our UAM/DLP software, it’s almost certain that you will end up collecting personal data from other sources and be subject to GDPR’s many data protection provisions. At least with Teramind, you will have a clear idea and control of the data.
No matter what path you choose, we recommend that you develop a GDPR policy framework that clearly demonstrates the process and purpose of your data collection strategy. And it has to be strong enough to withstand legal scrutiny:
- It has to be done on a lawful basis
- And/or there have to be legitimate reasons
For example, if you want to monitor employee emails, you should clearly describe on your policy why you want to do it (i.e. as a data loss prevention measure for your R&D department) supported by an IT and Electronic Communications policy that describes how it’s done. For example, you can setup a policy that dictates your UAM/DLP software will analyse the recipients of the emails not its content. Check out our How-to tutorial: Configuring Teramind activity monitoring to accommodate data privacy requirements for ideas like this.
Step 2 in your GDPR journey should be including at least a majority (if not all) of your employees in the policy development and implementation process. In certain countries, you may need to get consent from the Worker’s Council too.
One way you can streamline this process is, arrange for a demo of the user activity monitoring software (Teramind has a online simulation you can use or get a free trial version to test it out) and share with your employees what information will be collected and how.
Transparency is one of the cornerstones of GDPR. Step 1 and 2 above will help you setup policies and procedures that enable part of this transparency requirements. But you will also need to be transparent during the implementation and running phase of your UAM/DLP adaptation. Some examples are:
- Use a Revealed Agent that allows for a transparent, acknowledged monitoring of user activates. This way, a user can even choose when they will be monitored.
- You can also give your employees access to their own monitoring dashboard to see what data you are collected about them.
- If you are monitoring on a scheduled basis, clearly communicate when this is happening (for example with a prominent notification on their screen).
- In the event of a policy violation, explain what data is captured. For example, if you have a rule that prevents users visiting porn sites, show a message describing what is captured (URL, cookies, user name, time stamp etc.) and why.
You can do all these and more with Teramind.
You can setup the monitoring system to ask for expressed consent for installing the monitoring agent or anytime monitoring and recording is taking place. However, please note that this will be only useful if you followed step 1 and 2 and fulfilled the GDPR legal and legitimate clauses first.
This serves dual purposes. First, it helps you develop special security measures to prevent data leaks of sensitive information. Second, this strategy will help you filter out any private information from being captured, viewed or processed. However, given the broad definition of personal data in GDPR, you have to be as thorough as possible.
Fortunately, Teramind has built in data discovery and classification features that makes it easy to find and categorize hundreds of personally identifiable data like driver’s license, NHS number, passport number, ICD 9 and ICD 10 lexicon, IP/MAC addresses, credit card number, etc. Teramind can even identify difficult to detect personal information like English names and addresses, biometric data etc.
Once the data is classified, you can enforce rules to limit access, transfer and modification of personal data.
GDPR has set eight mandatory rights for a data subject. Here are some examples of how you can uphold those rights for your employees and users in Teramind:
- Right of access – with Teramind, you can export reports, logs and the video footages from the session recording, if an employee asks for it.
- Right of rectification – In Teramind, each user has a unique profile that can be updated or corrected for mistakes.
- Right to be forgotten – all the data captured are kept in an encrypted database. User records can be quickly erased on request.
- Right to restrict processing – In Teramind, you can create monitoring profiles for specific groups, departments or even individual employees. Using this feature, you can, for example, create a unique monitoring profile for your EU employees which have limited tracking and recording functionality.
Prevention is better than cure. That’s especially true when it comes to your GDPR policy. Here are few things you can do to reduce the risk of your business’s exposure to unnecessary personal data:
- When in doubt, disable keystrokes logging or only activate it on your business applications.
- Enable auto redaction/masking of personal data on captured screenshots utilizing Teramind’s advanced OCR features or turn screen recording completely off.
- Disable audio recording unless you have strong legitimate reasons. For example, a call center might have a legitimate reason to record audio, but it’s almost guaranteed to fail the GDPR litmus test for other businesses.
- Use the powerful Policy and Rules editor to create rules that automatically suspends monitoring when a user engages in a private activity like reading personal emails or browsing the web in private mode.
- Configure Session Recording to remain inactive by default but record for few minutes during a rule violation.
- Do a random/throttled data sampling using the built-in scheduler instead of continuous monitoring.
- Enable social media/IM monitoring only for corporate accounts and be explicit about it.
- Use anomaly rules to set a threshold to prevent false positives (which can cause illegitimate processing of personal data). For example, you can set up an email scanning rule that will trigger only if the attachment size exceeds 100 MB.
- Use the productivity reports as guidance but don’t use them for automated performance evaluation to satisfy Article 22 requirements.
- Use the custom messaging features to inform the user of any anomalous/suspicious behavior so that they can take corrective action and cancel the operation.
Both Teramind UAM and Teramind DLP can be deployed on the Cloud, Private-Cloud or On-Premise. So, which deployment option is good for GDPR? It all depends on your business requirements, budget and comfort level.
Adopting a cloud solution might be beneficial if you are comfortable offloading some of the compliance requirements to the vendor. Especially, customers opting for Teramind on AWS, will have Amazon’s backing which already has many compliance standards backed in its infrastructure including GDPR. Additionally, you can choose a data center hosted in the EU so you don’t have to worry about international transfer of the GDPR data. Or if you want complete control of the data, you can always host it on your own servers with the Teramind On-Premise deployment option.
As you can see, Teramind is flexible enough to be fully configured to meet your GDPR’s data protection requirements while sustaining user/employee privacy needs. No matter what your specific compliance requirements are, Teramind can provide the control and peace of mind that you can meet and remain GDPR compliant.