GDPR requires organizations to implement policies and procedures with respect to collection, treatment and management of data, a plan to detect a data breach, regularly evaluate the effectiveness of security practices, and document evidence of compliance. With 99 Articles (GDPR statues) and 173 Recitals, GDPR effectively mandates organizations to implement best practices for privacy and data security.
Teramind for GDPR helps organizations conform with ongoing compliance requirements with highly configurable and flexible activity monitoring, data exfiltration protection, audit, reporting and forensics capabilities.
GDPR Articles vs. GDPR Recitals
- GDPR Articles are the actual binding requirements that you must fulfill in order to be considered compliant.
- GDPR Recitals provide details and context to some of the Articles.
You need both to understand the scope, obligations and intentions of the GDPR.
In this article series, we will show you how to utilize Teramind’s privacy and security features to conform with some key GDPR Articles. In the first part, we will cover GDPR Article 5, Article 9 and Article 25 as examples. In the second part we will cover Article 30 – 34 and Article 38.
Which data to protect?
Unlike laws and standards like HIPAA and PCI DSS, GDPR requires you to protect both employee and customer data. This creates a unique problem. For example, say you are a bank and you have been using a DLP solution. The solution uses employee activity monitoring to prevent insider threats or data exfiltration incidents. While this makes sense, with GDPR you can’t protect one group (customers) while ignoring the privacy of another group (employees).
With Teramind, you don’t have to choose between the two. In our examples, we will show you how to implement data processing requirements of an Article for both your employees and customers.
GDPR Article 5: Principles relating to the processing of personal data
GDPR Article 5 has 7 principles relating to the processing of personal data. Here are the key concepts of the principles:
- Data processing with lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Here’s how you can use Teramind for processing employee and customer data to comply with the principles:
Processing employee data
To maximize lawfulness, fairness and transparency:
Teramind Revealed agent can be useful in this case. It has all the functionality of the Stealth Agent but lets the users decide when they are to be monitored.
You can also request a custom agent that has certain monitoring features turned off. You can learn more about the Teramind Agent and its available versions here.
For purpose limitation:
Your first preference would be to adjust the monitoring settings to capture only the system objects you need to monitor. Teramind lets you monitor 12+ system objects. However, that doesn’t mean you have to monitor all of them. For example, if you don’t need it for a legitimate reason, turn off the Audio recording. You can also further adjust each object’s settings to dynamically suspend monitoring when personal activity is detected. For example, employee visiting their bank’s website or opening personal email account. You can access monitoring settings under: Settings > Monitoring Settings > [Monitoring Profile].
For data minimization:
You can do the following:
For storage limitation:
The above also applies for storage limitation. Additionally, you can disable or limit offline recording to prevent local storage of data. This feature is available under Monitoring Settings > [Monitoring Profile] > Offline Recording.
To demonstrate integrity and confidentiality:
Take advantage of the immutable logs available in Teramind to keep track of admin activities related to employee data. You can ensure the integrity of the data by restricting admin access to employee data. This feature can be found under the CONFIGURE > Access Control menu.
Each user and admin are uniquely identified on Teramind by multiple ways (i.e. username/hardware id/IP/computer) – so accountability is ensured by design (another GDPR principle, check Article 25 below). You can also setup a terminal server to handle just the EU employees and assign a dedicated admin/HR resource to handle their data to further clarify accountability.
Processing customer data
In a typical DLP scenario, you need to have protection mechanism at least in three areas to protect your customer/third-party data:
- Ingress: the applications where data is being collected. Such as, incoming email, chat conversation with a prospect on social media, registration forms on a website etc. Usually, any GDPR Consent should be collected at this stage.
- Egress: where data is going outside your protection zone. i.e. outgoing email, file uploads, copying data on external/USB drives etc.
- Transform: how your employees are handling the data internally. i.e. storing customer information in your marketing/sales campaigns, processing invoices.
In Teramind, protection on all of these areas are primarily achieved through the utilization of the Policy & Rules Engine. Here are some best practices to follow when you are starting out:
Use built-in rule templates:
Teramind comes with hundreds of built-in rule templates for File Operations, Emails, Applications, Web etc. Pick one that closely matches your requirements and then adjust the rule parameters to fine-tune it.
To access a built-in rule template, select CHOOSE A TEMPLATE field from a rule’s General tab when creating a new rule.
Experiment with included sample policies and rules:
Teramind comes with several prepackaged policies and rules built with real-life scenarios. We have even built some GDPR specific rules you can start using right-away.
Learn to create your own rules:
When you are comfortable creating your own rules, the UI provides you with a wizard like interface where you pick your choices, add simple conditions and use natural language to build complex rules in no time. It’s very intuitive and requires almost no training. You can also visit Teramind’s YouTube channel for examples on creating rules. Here’s one tutorial that shows how to create rules to prevent data loss.
GDPR Article 9: Processing of special categories of personal data
Article 9 lays out requirements for special categories of personal data. For example, genetic data, biometric data, racial, political, sexual orientation data or data concerning health etc.
To implement support for these data categories, first we will show you how you can use data classification in Teramind and then discuss how to apply that feature to protect your employee and customer data.
Processing employee data
Processing customer data
|In the same way, you can warn the employees when they are exposed to or sharing a customer’s private data. For example, this video shows a clipboard-based rule to prevent copy/paste operation in a CRM system to prevent customer data exfiltration. Similar rules can be created for say, your EHR/CMS/SAP system.|
GDPR Article 25: Data privacy by design and by default
Article 25 requires that data processing be limited to what is necessary given the purpose for which data is initially collected and requires the controller to implement appropriate technical and organisational measures for ensuring that. Since this is such a fundamental principle, the fulfilLment of Article 25 is closely linked with conforming with several other articles. For example, Article 5 (1) and Article 32 (1) (b) to name a few.
What is Pseudonymization?
Pseudonymization means replacing original data with false data that’s functionally similar and maintains the same statistical value. Pseudonymization can be one way to comply with the GDPR’s demands for secure data storage of personal information. Pseudonymized data can be restored to its original state with the addition of information which then allows individuals to be re-identified.[Wikipedia]
The good thing is, it also allows the Controller some flexibility. For example, you can process personal data other than originally intended as long as you follow “appropriate safeguards” such as pseudonymization/encryption. The Controller also has some leg room in terms of selecting additional measures or solutions including DLP/UEBA software based on some eligibility criteria: the state of the art of the technology, risk, data processing purpose and cost.
While Teramind doesn’t directly support pseudonymization, it does support AES 256 encryption. On-premise or private-cloud customers can utilize security features enabled by those VM/platforms for additional data security and privacy.
Processing employee data
Processing customer data
Demonstrating appropriate technical measures for both employee and customer data
Teramind’s highly configurable activity monitoring and DLP tools help you protect the privacy of your employees and customers and at the same time defend your organization from insider threats, data breaches and other cyber threats. However, the software is only as effective as how you choose to use it. Hopefully, this guide will help you to utilize Teramind solutions better to conform with your ongoing compliance needs. In the next part of the article, we will discuss more ways to facilitate your GDPR journey with Teramind.
If you are interested, you can check out our other GDPR articles below:
- Employee Monitoring and GDPR: How to Ensure User Privacy by Configuring Monitoring Profiles and Settings: Part 1 and Part 2
- 8 Tips for Implementing Employee Monitoring and Data Loss Prevention Solutions in a Data Privacy and GDPR Governed World
- How to Fulfill Key GDPR Requirements with Teramind
- How GDPR Impacts US Cyber Security Policy
- GDPR Compliance Tips: The Top Experts Speak
- What is GDPR: Who Really Owns the Data in Your Company?
The contents of this article are intended to convey general information only and not to provide legal advice or opinions. The contents of this article should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or situation. The information presented in this article may not reflect the most current legal developments. No action should be taken in reliance on the information contained in this article and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this article to the fullest extent permitted by law. Teramind would advise consultation with legal counsel or an attorney for advice and legal opinion on specific legal issues.