GDPR requires organizations to implement policies and procedures with respect to collection, treatment and management of data, a plan to detect a data breach, regularly evaluate the effectiveness of security practices, and document evidence of compliance. With 99 Articles (GDPR statues) and 173 Recitals, GDPR effectively mandates organizations to implement best practices for privacy and data security.

Teramind for GDPR helps organizations conform with ongoing compliance requirements with highly configurable and flexible activity monitoring, data exfiltration protection, audit, reporting and forensics capabilities.

GDPR Articles vs. GDPR Recitals

  • GDPR Articles are the actual binding requirements that you must fulfill in order to be considered compliant.
  • GDPR Recitals provide details and context to some of the Articles.

You need both to understand the scope, obligations and intentions of the GDPR.

 

In this article series, we will show you how to utilize Teramind’s privacy and security features to conform with some key GDPR Articles. In the first part, we will cover GDPR Article 5, Article 9 and Article 25 as examples. In the second part we will cover Article 30 – 34 and Article 38.

Which data to protect?

Unlike laws and standards like HIPAA and PCI DSS, GDPR requires you to protect both employee and customer data. This creates a unique problem. For example, say you are a bank and you have been using a DLP solution. The solution uses employee activity monitoring to prevent insider threats or data exfiltration incidents. While this makes sense, with GDPR you can’t protect one group (customers) while ignoring the privacy of another group (employees).

With Teramind, you don’t have to choose between the two. In our examples, we will show you how to implement data processing requirements of an Article for both your employees and customers.

GDPR Article 5: Principles relating to the processing of personal data

GDPR Article 5 has 7 principles relating to the processing of personal data. Here are the key concepts of the principles:

    • Data processing with lawfulness, fairness and transparency
    • Purpose limitation
    • Data minimisation
    • Accuracy
    • Storage limitation
    • Integrity and confidentiality
    • Accountability

Here’s how you can use Teramind for processing employee and customer data to comply with the principles:

Processing employee data

To maximize lawfulness, fairness and transparency:

Teramind Revealed agent can be useful in this case. It has all the functionality of the Stealth Agent but lets the users decide when they are to be monitored.

You can also request a custom agent that has certain monitoring features turned off. You can learn more about the Teramind Agent and its available versions here.

For purpose limitation:

Your first preference would be to adjust the monitoring settings to capture only the system objects you need to monitor. Teramind lets you monitor 12+ system objects. However, that doesn’t mean you have to monitor all of them. For example, if you don’t need it for a legitimate reason, turn off the Audio recording. You can also further adjust each object’s settings to dynamically suspend monitoring when personal activity is detected. For example, employee visiting their bank’s website or opening personal email account. You can access monitoring settings under: Settings > Monitoring Settings > [Monitoring Profile].

For data minimization:

You can do the following:

  • Scheduled monitoring is available under each object’s settings. For example, Settings > Monitoring Settings > Default Profile > Websites.
  • Record only during a rule violation, available under a rule’s Action tab.
  • Rules also support active schedules found under the rule’s General tab.
  • Auto delete history feature is available under Settings > Monitoring Settings > [Monitoring Profile] > Screen.

For storage limitation:

The above also applies for storage limitation. Additionally, you can disable or limit offline recording to prevent local storage of data. This feature is available under Monitoring Settings > [Monitoring Profile] > Offline Recording.

To demonstrate integrity and confidentiality:

Take advantage of the immutable logs available in Teramind to keep track of admin activities related to employee data. You can ensure the integrity of the data by restricting admin access to employee data. This feature can be found under the CONFIGURE > Access Control menu.

For accountability:

Each user and admin are uniquely identified on Teramind by multiple ways (i.e. username/hardware id/IP/computer) – so accountability is ensured by design (another GDPR principle, check Article 25 below). You can also setup a terminal server to handle just the EU employees and assign a dedicated admin/HR resource to handle their data to further clarify accountability.

 

Processing customer data

In a typical DLP scenario, you need to have protection mechanism at least in three areas to protect your customer/third-party data:

  • Ingress: the applications where data is being collected. Such as, incoming email, chat conversation with a prospect on social media, registration forms on a website etc. Usually, any GDPR Consent should be collected at this stage.
  • Egress: where data is going outside your protection zone. i.e. outgoing email, file uploads, copying data on external/USB drives etc.
  • Transform: how your employees are handling the data internally. i.e. storing customer information in your marketing/sales campaigns, processing invoices.

In Teramind, protection on all of these areas are primarily achieved through the utilization of the Policy & Rules Engine. Here are some best practices to follow when you are starting out:

Use built-in rule templates:

Teramind comes with hundreds of built-in rule templates for File Operations, Emails, Applications, Web etc. Pick one that closely matches your requirements and then adjust the rule parameters to fine-tune it.

To access a built-in rule template, select CHOOSE A TEMPLATE field from a rule’s General tab when creating a new rule.

Experiment with included sample policies and rules:

Teramind comes with several prepackaged policies and rules built with real-life scenarios. We have even built some GDPR specific rules you can start using right-away.

Learn to create your own rules:

When you are comfortable creating your own rules, the UI provides you with a wizard like interface where you pick your choices, add simple conditions and use natural language to build complex rules in no time. It’s very intuitive and requires almost no training. You can also visit Teramind’s YouTube channel for examples on creating rules. Here’s one tutorial that shows how to create rules to prevent data loss.

 

GDPR Article 9: Processing of special categories of personal data

Article 9 lays out requirements for special categories of personal data. For example, genetic data, biometric data, racial, political, sexual orientation data or data concerning health etc.

To implement support for these data categories, first we will show you how you can use data classification in Teramind and then discuss how to apply that feature to protect your employee and customer data.

Utilizing built-in data classification:

Use the built-in classifications for special data such as DNA profiles, disease and drug names, and more. Most of this can be found under the Predefined Classified Data on a rule’s Content tab. Note that you will need to be using a content sharing rule category for this feature. You can change the rule category from the rule’s General tab.

Creating your own custom data types:

Custom data types can be detected using content definitions like simple keywords, regular expressions or shared list.

You can create custom data types when using either Data content or the Clipboard/File Origin content types. This can be done under a rule’s Content tab. For doing a list lookup, create a Shared List from the CONFIGURE menu first.

Processing employee data

Protecting employees from themselves:

By utilizing the content rules and data classification methods you can create rules to warn the employees when they are sharing their own personal information, for example, when sending out an email that contains their personal information.

Protecting you from accidental processing of privacy data:

You can also use the monitoring settings to automatically blackout recording of any web/app window where such contents are detected.

 

Processing customer data

In the same way, you can warn the employees when they are exposed to or sharing a customer’s private data. For example, this video shows a clipboard-based rule to prevent copy/paste operation in a CRM system to prevent customer data exfiltration. Similar rules can be created for say, your EHR/CMS/SAP system.

GDPR Article 25: Data privacy by design and by default

Article 25 requires that data processing be limited to what is necessary given the purpose for which data is initially collected and requires the controller to implement appropriate technical and organisational measures for ensuring that. Since this is such a fundamental principle, the fulfilLment of Article 25 is closely linked with conforming with several other articles. For example, Article 5 (1)  and Article 32 (1) (b) to name a few.

What is Pseudonymization?

Pseudonymization means replacing original data with false data that’s functionally similar and maintains the same statistical value. Pseudonymization can be one way to comply with the GDPR’s demands for secure data storage of personal information. Pseudonymized data can be restored to its original state with the addition of information which then allows individuals to be re-identified.[Wikipedia]

 

The good thing is, it also allows the Controller some flexibility. For example, you can process personal data other than originally intended as long as you follow “appropriate safeguards” such as pseudonymization/encryption. The Controller also has some leg room in terms of selecting additional measures or solutions including DLP/UEBA software based on some eligibility criteria: the state of the art of the technology, risk, data processing purpose and cost.

While Teramind doesn’t directly support pseudonymization, it does support AES 256 encryption. On-premise or private-cloud customers can utilize security features enabled by those VM/platforms for additional data security and privacy.

Processing employee data

Using employee data beyond the original intent:

You can indirectly pseudonymize employee data by exporting it without the personal identifiers like employee names, hardware etc. This way, you can  use the data for training, internal audits of processing activities, performance reviews, marketing analysis etc.

 

Processing customer data

Implementing access control:

Implement segregated access control and privilege management for sensitive and personal data by limiting admin access, viewing or editing of captured information. Additionally, you can enable application level access control to protected data in applications like your ERP/SAP systems with group level policies and integrating with Active Directory/LDAP. This feature can be found under the CONFIGURE > Access Control menu.

 

Demonstrating appropriate technical measures for both employee and customer data

Demonstrating technical measures:

As mentioned before, the Controller needs to evaluate security and privacy solutions based on some key criteria. Teramind has advanced technology implementation to position itself as one of the most state of the art UAM/DLP solutions in the market. This would make you and your DPO’s job easier if you need to demonstrate that you’ve chosen the right tools to ensure the data security and privacy of your EU employees and customers.

Conclusion

Teramind’s highly configurable activity monitoring and DLP tools help you protect the privacy of your employees and customers and at the same time defend your organization from insider threats, data breaches and other cyber threats. However, the software is only as effective as how you choose to use it. Hopefully, this guide will help you to utilize Teramind solutions better to conform with your ongoing compliance needs. In the next part of the article, we will discuss more ways to facilitate your GDPR journey with Teramind.

If you are interested, you can check out our other GDPR articles below:

DISCLAIMER

The contents of this article are intended to convey general information only and not to provide legal advice or opinions. The contents of this article should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or situation.  The information presented in this article may not reflect the most current legal developments. No action should be taken in reliance on the information contained in this article and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this article to the fullest extent permitted by law.  Teramind would advise consultation with legal counsel or an attorney for advice and legal opinion on specific legal issues.