Thanks to the GDPR, organisations worldwide focus on the personal information they collect, process and store.

Since the GDPR must protect the PII of all EU residents, organizations need to engage not only with customers, customers and potential customers, but also with their employees and partners. In fact, companies often store a lot of personal information about people working for them, rather than customers: names, identifications, medical records, credit card numbers, personal addresses, phone numbers, and so on.

 

How could security and data collection solutions collide with the GDPR?

However, the fact is that this kind of detail is not the only PII that companies typically collect from employees and contractors. The GDPR defines personal data in a much more comprehensive manner, such as "all information relating to a particular or identifiable natural person (" data subject "), an identifiable natural person is a person that can be directly or indirectly identified with reference to an identifier such as a name, an identification number, location data, an online identifier or one or more specific factors of the physical, physiological, genetic, mental, economic, cultural or social identity of that physical person ".

In fact, this definition generates a lot of data that it probably processes "personal data". For example, Data Protection, Security and Event Management (SIEM), and User Behavior Analysis (UBA) -based verification and backup (DCAP) collects and processes information about each person's access time, their actions in specific systems, and possibly even their fingerprints. All this information refers to a unique natural person; in reality, most need to achieve the goals for which the solutions were purchased, how to detect abnormal behavior that could be an attack, and guarantee individual responsibility.

In addition, their data collection solutions make it extremely easy to extract personal information from a specific person from the files in your environment, always according to the design, as they must be able to protect the rights of those affected.

 

Does that mean I no longer need to use my data collection and security solutions?

This means that if you do not agree or subtract from any user on the network, you should seek approval and exclude from monitoring their activities, then that means? And how does the Privacy by Design principle work if data discovery solutions allow employees to see a person's PII with just a few clicks? Do you need to completely discontinue your security monitoring and data tracking solutions?

 

According to Article 6 of the General Data Protection Regulation, obtaining consent is only one of six criteria that make the processing of personal data legal. A different criterion is required during processing 'in order to safeguard legitimate interests of the controller or third parties, unless such interests take precedence over the interests or fundamental rights and freedoms of the data subject who require personal data protection, in particular the affected person is a child.

"(emphasis in original)

Security and network information are legitimate for processing and storing personal information under these clause motives, as stated in recital 49 of the GDPR:

"The processing of personal data to the extent strictly necessary and proportionate to ensure the security of the network and of the information or the ability of a network or information system to resist a certain level of trust, chance events or unauthorized acts o Malicious harm that compromises the availability, authenticity, integrity and confidentiality of stored or transferred personal information and the security of related services or through such networks and systems by government agencies, emergency response teams (CERTs), cyber security incident response teams (CSIRTs), providers of electronic communications networks and services, as well as security technologies and service providers, have a legitimate interest in the data in question. "

Therefore, the consent of the users of the internal network is not required to process personal data, and does not break the principle of "privacy by design" by using its security monitoring and data collection solutions for security reasons.

 

What else can I do to make sure my processes comply with the GDPR?

According to Article 30 of the General Data Protection Regulation, organizations must carefully document their processing activities. This documentation should include: the purpose of the processing, the categories of processed data and personal data and the categories of those to whom this information is communicated. If you already have detailed security policies that describe the monitoring activities in detail, you can check the gaps in the documentation against the requirements of the regulation. If you do not have well-documented policies, you should work on them immediately.

Documenting the reasons for security monitoring and data collection activity must consider the implications of not performing these activities. If it is not possible to reduce cyber threats to GDPR-regulated data collected, processed and stored on servers, how can the security of such data be guaranteed as required by law? How can you defend the rights of the parties involved if you cannot discover all of your PII in your environment? Also, keep in mind that the solutions you use to perform these tasks often include additional features that can help reduce the risk that your checklist and classified data will be exposed to unauthorized persons.

 

Any other advice to ensure compliance?

Remember that the GDPR requires you to do what you need, so use the following features: "list"):

• Pseudonymization: This is one of the measures highlighted in the standard. It means processing personal data so that it cannot be assigned to a specific person. This feature is more suitable for security surveillance solutions than for data collection tools. For example, some SIEMs may pseudonymize personal information in log files.

• Role-based access control (RBAC): With RBAC, you can access audit trails and ensure that you can access personal information in the log files. Many solutions provide this useful functionality. Some allow limiting the amount of data available to a particular person.

• Self-assessment: Monitor user activity in your security monitoring and data tracking solutions. In this way, you can determine the confidentiality and integrity of your personal information. If your solutions do not have self-control, you should at least check their activity on the computers where the solutions are installed. You can also use video recording of screen activity on these computers to have more context for this activity.

 

Key Points

We summarize key steps to ensure that DSGVO security monitoring and tracking processes are compliant:

• Carefully document audit policies. Give a reasoned explanation for the implementation of security surveillance and data collection; describe the types of personal information involved in these processes; and details of who gets access to security monitoring and data collection solutions.

• Use pseudonyms if possible.

• Use RBAC to provide access to security monitoring and data collection solutions that meet your needs

• If possible, check access to these solutions and changes to these solutions.

These simple steps not only make it easier to comply with the GDPR, they also help mitigate the risks of sensitive data that you process and improve your overall safety.