The General Data Protection Regulation (GDPR), which formally went into effect last May, strives to, among other things, hold companies accountable for protecting people’s data.
The law promises hefty fines for companies that can’t accomplish this task, and it’s rightly prioritizing personal privacy at a time when our digital environment is more expansive and extensive than ever before.
Now that the new mandates imposed by GDPR are in full effect, companies can’t afford the cascading costs and reputational damage associated with privacy violations.
Unfortunately, a company’s own employees and contractors often pose the most significant risk to data security, and organizations of all sizes are taking steps to secure their client data, which often means turning to some form of monitoring and oversight software. This would have been easier if that’s all you needed to do. You could then just prioritize customer privacy instead of employee privacy.
But, GDPR has taken away that option. Employee privacy is subject to the same protections as client and customer privacy under the GDPR. Companies simply can’t violate the privacy of one group to protect the information of another. Therefore, companies are tasked with walking a tightrope, simultaneously balancing their customers’ data security and their employees’ privacy.
This doesn’t have to be so difficult.
Like other similar laws (HIPAA, PCI etc.), GDPR is heavily process oriented. That’s why you hear directives like – “Controllers of personal data must put in place appropriate technical and organisational measures to implement the data protection principles.” The good news is, you can automate many of those technical requirements such as: PII discovery, collection of consents, data anonymization, purging (right to be forgotten) etc. with today’s security and Data Loss Prevention (DLP) solutions. And if you have implemented compliance standards like HIPAA, PCI, ISO, it should be easier to implement GDPR.
Another reason GDPR being process oriented is good is because we can utilize well established tools such as PDCA to make the compliance task easier (If you aren’t familiar with PDCA, here’s a quick read). Especially, the organisational measures because PDCA is a process management framework. What makes it very useful in implementing GDPR is its iterative nature. It’s very unlikely that you will be able to implement GDPR in one go – you will need to adjust your plan, reassess and refine. PDCA’s continuous optimization nature will help you with that.
In PDCA, plan is establishing the goals and processes required to deliver the desired results. In our case, the goal is to ensure the security of both employee and customer data. We may also want to protect other sensitive data like company confidential IPs and prevent insider threats like sabotage, thefts, accidental security breaches etc. We want to do all that staying within the bounds of the GDPR.
In order to do that, first we need to understand what the main privacy principles are and then establish our goals for security and monitoring so that we can ensure the principles are upheld.
Understand the Principles:
There are 7 GDPR principles related to processing of personal data. You can read the details about them here. In short these are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
- Accountability (special clause)
Understanding these principles will help you decide what you can or cannot target with your workplace monitoring/DLP goals. For example, if you decide to use a stealth agent to monitor your employee activities it might conflict with the fairness and transparency principle – unless, you have exceptional situations, i.e. suspected criminal activity, serious malpractice, risk of health and safety etc. However, these might require solid justifications. Knowing the principles will help you define your monitoring purpose or convince you to consider alternate options. For example, as an alternative to a stealth agent, you can achieve most of the monitoring goals with a visible/revealed agent without putting yourself in a legally dubious position while also using a preventative measure rather than a punitive weapon.
Define Purpose and Verify Conformity:
The next step in your GDPR planning process will be to identify all the goals/purposes you have for using an employee monitoring/UBEA/DLP solution and see if any of those conflicts with the principles. Here are a few examples of purposes that sound similar but can significantly affect the principles. For example:
|Monitoring Purpose||Principle Check|
|I want to monitor employee productivity.||This might directly affect principles 2 and 3 above and in most cases are lawful/legitimate interests under article 1. However, make sure you do not use such productivity reports solely to take decisions about performance at work.|
|I want to track employee times so that I can evaluate their work performance.||This is a NO. Monitoring of entrance and exit times cannot be used for performance evaluation unless there’s another legitimate interest (i.e. payroll).|
|I want to monitor employee emails to ensure customer complaints are addressed in time.||This might be a legitimate purpose, but you should limit it to your corporate emails only. You can use advanced features (i.e. OCR to detect only certain keywords, limit domain, limit capturing of attachments etc.) in the software to limit exposure of privacy data.|
|I want to monitor employee website usage to prevent malware infection.||
While this may pass the litmus test, your first preference should be to restrict access rather than monitoring behavior for such purpose. So, consider using IP filtering or other methods to limit employee web browsing to dangerous site.
Another option might be to use a Web Isolation tool to separate your corporate web traffic from personal traffic. Some software also lets you dynamically suspend monitoring when certain site/content is detected or when the user goes into private/incognito mode.
Once you have determined your purposes that are GDPR compliant, it’s time to execute the policy. You can use technology to your advantage. However, as we’ve discussed before, GDPR is a complex law. There’s no single solution that can help you achieve all its requirements. Nor can technology alone cut it. So, your best bet would be to find a solution that meets most of the requirements taking into consideration your purposes, ease of use and budget.
Select the Right Tool:
Below are some options you can consider for achieving most of your goals/purposes outlined in the Planning stage. To get the best value for your money, you should evaluate how the technology addresses your employee and customer privacy, productivity, data protection and cybersecurity requirements. Unless, of course, you just want a compliance tool. In that case, manual processing of the privacy data or a dedicated GDPR/GRC solution should work for you.
|Manual/Semi-Manual Approach||Dedicated GDPR/GRC Solutions||Employee Monitoring / UEBA||Endpoint DLP|
|If you are a small company and do not process a lot of personal data, then you can probably get away with some templates and freely available tools such as, pre-built compliance checklists, DPIA tools (some are available as Excel spreadsheets) etc. For breach notifications you can use free tools such as the one offered by ENISA. This is the least expensive option sans your time.||Many of the Governance, risk management, and compliance (GRC) software has GDPR modules that can help you with centralizing privacy data, demonstrate other compliances and conduct breach notifications. These can be expensive and very specialized. They also cannot help you with your other goals like productivity, insider threat prevention etc.||Some of the latest software in this category will let you configure their monitoring settings to comply with GDPR requirements and still achieve their monitoring and productivity goals. However, many of these focus on user behavior and activity and less on ‘content’. So, their GDPR functionalities might be somewhat limited.||A DLP is purpose built to protect data. A modern DLP comes with auto-discovery of PII and allows you to create policies and rules to protect the data at rest or in transit. Some of them such as, Teramind DLP comes with productivity features built in. So, you get the benefits of an employee monitoring solution but at the same time get more done for your GDPR implementation.|
Configure the Software to Maximize Effectiveness:
No matter which tool or software you choose, to get the best out of it, you need to set it up properly and tweak it for your specific use case. Modern employee monitoring/UEBA/DLP software are designed for such flexibility. These solutions allow you to effectively monitor the use of confidential information and boost productivity while safeguarding employee and customer privacy. This is accomplished in a number of ways:
Create Monitoring Profiles:
The first rule of thumb for any privacy friendly monitoring is to limit the scope and subject(s) of the tracking. For example, you can create a separate monitoring profile for your EU employees/customers and adjust what data you capture for them vs. the rest of your employees or customers. Or say, enable Social Media monitoring for your Marketing department but disable it for other departments.
Utilize Selective Monitoring:
Software like Teramind are quite powerful and let you monitor and track virtually everything. However, that doesn’t necessarily mean you have to. Monitor the objects you need and turn off or limit other options. For example, if you don’t need keystrokes logging you can turn it completely off.
Implement Access Control:
Limit employee access on a need-to-know basis. This way, for example, while an IT administrator can access your HR/CRM database for maintenance purposes, they should not be able to view any unprotected employee or customer data while performing such duties.
Setup Dynamic Controls:
A modern monitoring software will let you control things at the application level. Some will even let you change the data capture dynamically based on user behavior or certain other conditions. Using this feature, you can, for example, set up the system to suspend monitoring automatically when it detects a password field on a webpage.
Record Only When Needed:
Some of these software such as, Teramind allow you to record user sessions. In their default stage, they might be recording 24/7. However, they allow you to configure the recording to take place only during certain incident (i.e. rule violation), or on a schedule basis. Use those features/configurations to limit the capture and storage of personal data and still get the forensic benefits this feature provides.
There are many other options you can configure to conform with GDPR requirements and still use the software to detect insider threats, prevent data loss and increase the productivity of your workforce.
In PDCA’s Check phase, you gather data and results from the Do stage and then compare it with the Plan’s original goals. Similar to a gap analysis/risk analysis, this is where you check if the policy you implemented conforms with the principles of Privacy by Design and Privacy by Default, as well as verify that your monitoring and tracking is proportionate to the purposes for which the data was captured and processed.
A Privacy Impact Assessment (PIA) tool can be used to conduct and document such checks. In some cases, it might even be mandatory to do a PIA. In the UK, the Information Commissioner’s Office recommends that companies conduct a Private Impact Assessment. Meanwhile, across Europe, GDPR Article 35 requires companies to complete a data privacy cost/benefit analysis before proceeding.
Whether required or not, it’s beneficial to conduct a PIA especially when you have a large number of EU employees or customers. According to a presentation at the International Association of Privacy Professionals Congress, PIAs have the following benefits:
- Provides an early warning system, a way to detect privacy problems, build safeguards before, not after, heavy investment – fix privacy problems now, not later
- Avoids costly or embarrassing privacy mistakes
- Provides evidence that an organization attempted to prevent privacy risks (reduce liability, negative publicity, damage to reputation)
- Enhances informed decision-making
- Helps the organization gain the public’s trust and confidence
- Demonstrates to employees, contractors, customers, citizens that the organization takes privacy seriously
For this check to work properly, you should be running your GDPR implementation for a while. If you are implementing GDPR for the first time, you can try doing a pilot or keep it limited to a small number of users. Then conduct the check on those group before rolling it out for the entire organization.
Also called ‘Adjust’, this is the step where you improve your GDPR process from the insight gained through your Do and Check phase. You need to review all you have done so far including your process and software implementation – ideally, as a pilot.
A big part of this process is consultation. It’s important for employers to understand the technology they have chosen for monitoring and to be able to explain to the workers, their unions and other representatives.
Many software solutions have built-in reports and risk analysis scenarios you can use to your advantage while collecting any feedback and during the consultation discussion. For example, in Teramind DLP, there’s a Risk Analysis report that shows at risk policies and rules and the vulnerability context (i.e. in which applications the PII data is accessed most). Using this report, you can see which of your GDPR rules are violated often. From there, you can decide if the rules need to be adjusted. For example, maybe the rule parameters are too wide, the risk thresholds too high/low or you are capturing too much data or may be your employees need more training.
Some of the employee monitoring/UBEA/DLP software also have the tools to conduct employee training (i.e. remote sessions) and can provide on-time feedback with custom messages to employees before their own privacy or customer privacy is violated. For example, by setting up a rule to prevent uploading of files containing PII data, you can prevent many cases of data leaks and potential customer privacy violations. At this stage, you can also share with employees what data you are collecting about them and give them a way to exercise their right for erasure or opt-out if they don’t agree with the process.
Completing this phase will enable you to roll out your GDPR implementation across the organization with a better chance of success. However, be prepared to explain:
- If you are using employee monitoring for productivity purpose, why this cannot be accomplished by means other than automated monitoring.
- If, however, monitoring is intended to protect company data, employee and customer information or other confidential data, you should be prepared to demonstrate why the use of automated DLP technology is less intrusive than having human intervention.
Undoubtedly, companies face a tremendous burden to balance the regulatory standards of GDPR requiring the privacy rights of both their employees and customers while weighing the demands of productivity and security. That challenge will only become more prescient with time. However, with a rigorous process and strategic use of the right tools, conforming with GDPR or other compliance regulations shouldn’t be an issue.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions. The contents of this article should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or situation. The information presented in this article may not reflect the most current legal developments. No action should be taken in reliance on the information contained in this article and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this article to the fullest extent permitted by law. Teramind would advise consultation with legal counsel or an attorney for advice and legal opinion on specific legal issues.