In the first part of the series, we talked about how you should implement employee and customer data privacy protection by setting up Teramind’s monitoring features properly and by utilizing its flexible policy and rules engine. In this second and final part of the series, we will cover how Teramind can assist the Controller, DPO and their representative with compliance accountability when it comes to handling personal data, record keeping and breach reporting obligations. We will demonstrate this with some use cases for Article 30, 33, 34 and 38.

In this article series, we will show you how to utilize Teramind’s privacy and security features to conform with some key GDPR Articles. In the first part, we will cover GDPR Article 5, Article 9 and Article 25 as examples. In the second part we will cover Article 30 – 34 and Article 38.

GDPR Article 30: Records of processing activities

Article 30 requires that each Controller or the Controller’s representative, shall maintain a record of processing activities. Some of the other record keeping requirements of the Article are:

  • Contact details (profiles) of the Controller, joint-Controller, DPO and their representative(s);
  • The purposes of the processing;
  • Categories of data subjects and data;
  • Any data transfer to third countries;
  • Demonstrate technical and organisational security measures.

While the Article mentions that some of these obligations aren’t applicable to companies with fewer than 250 employees, there are other conditions that can supercede that exception. For example, if the processing is likely to result in a risk to the rights and freedoms of data subjects the 250-employee cap will not apply.

Here’s how Teramind for GDPR can help with these requirements:

Profile management:

Teramind has built-in profile management features where you can keep track of the Controller, DPO and even any external consultants. You can assign them access levels for monitoring and auditing purposes.

To create a new use profile, click the Employee tab from the dashboard. You can then Add, Edit or Import new employees or external users.

Teramind also integrates with Active Directory. You can use its LDAP feature to import your users, computers, groups, attributes and other important meta-data.

Record of data processing at user level:

Teramind keeps track of all user activity for 12+ objects including apps, websites, files etc. Teramind for GDPR can help the Controller and the DPO identify this information and record who’s accessing what data, and how the data is flowing through the organization.

For example, you can click the Monitoring tab and view individual reports for each data category such as File Transfers, Network etc.

 

Record of data processing at system level:

In addition to the User logs, Teramind also has a System log to keep track of all administrative activities by date/time, IP, employee and what action they performed, on which object etc. This log is immutable. So, it cannot be tempered with.

To access the System log, select System > System Log.

Data transfer to third countries:

Teramind has a network monitoring component that accepts IP filtering. So, you can, for example, create an ACL list by IP range for EU countries and attach it to a network rule. This way, you can monitor, log or block network traffic for certain activity or data transfer outside the EU.

Check the image for such a sample rule (click to zoom).

Demonstrating security measures:

Teramind is an ISO 27001:2013 certified company. All its products and associated infrastructure follow rigid compliance standard when it comes to technical and organisational security.

Here’s an overview of Teramind’s platform security. A customer can also request our ISO audit report if required for compliance purposes.

GDPR Article 33 and Article 34: Notification and communication of personal data breach

 

These two Articles are very closely related. Article 33 deals with breach notifications to supervising authority while Article 34 addresses the communications requirements to the data subjects. A crucial part of the notification is the speed at which the notification needs to happen, “without undue delay and, where feasible, not later than 72 hours.”  Article 33 also requires that the Controller needs to document such breaches in granular details including any remedial or prevention actions.

Teramind for GDPR can fulfill most of these requirements with its powerful forensic and auditing capabilities:

Data breach alerts and incident reports:

Teramind’s extensive alert reports capture all the details related to a policy violation including:

  • the date or time of the incident;
  • which user violated the policy;
  • what policy was violated;
  • what rules were broken;
  • what actions were taken;
  • and the context (i.e. which resource, app or document was involved).

The alert report can be exported as a PDF file. The report can also be automatically scheduled for delivery to an email account. This allows you to report any data breach incident in minutes superseding the 72-hour limit set by GDPR.

Alert reports can be accessed from the Behavior > Alerts menu.

 

Forensic investigation of breach incidents:

Teramind’s Session Recording feature lets you conduct a thorough investigation of any breach or attempted breach incident. It’s like a DVR where you can go back and forth and view user’s desktop activities at any point in the past.

You can also see all the notifications the user received related to rule violation incidents and the activities leading up to the incident.

The video can be exported as an MP4 file or send to an email for forensic investigation or as burden of proof for the GDPR breach reporting requirement.

You can access the Session Player from any Alerts screens or through the Monitoring > Sessions menu.

GDPR Article 38: Position of the data protection officer

This Article states that the Controller and processor shall support the data protection officer in performing their tasks by providing all the resources necessary to carry out those tasks. Some key responsibilities and tasks of the DPO are: advising the Controller on various GDPR initiatives; to monitor the effectiveness of the compliance measures; and finally, to identify any risk associated with data processing operations. The Article also requires the Controller to provide “access to personal data and processing operations” to the DPO.

Teramind provides the necessary tools to support both the Controller and the DPO:

Access to personal data:

Teramind provides granular access to all user activity data so the DPO can ensure that both internal and external users are monitored and audited properly. With this data, they can also warn the Controller when ‘illegitimate’ data is captured or processed.

 

Identifying risk and vulnerabilities:

With Teramind’s Risk dashboard the DPO can identify vulnerable employees, GDPR policies and rules and system objects like applications or websites.

The report can be viewed by department, severity or tags and sorted by risk scores or number of violations.

The Risk dashboard can be accessed from the Risk tab.

Conclusion

GDPR is a complex legislature, so it’s imperative that you carefully evaluate all your software implementations  and not just Teramind’s. Hopefully, this article series will help you identify some of the strictest requirements the law and configure your Teramind deployment accordingly.

Here are some related GDPR articles you can read:

DISCLAIMER

The contents of this article are intended to convey general information only and not to provide legal advice or opinions. The contents of this article should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or situation.  The information presented in this article may not reflect the most current legal developments. No action should be taken in reliance on the information contained in this article and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this article to the fullest extent permitted by law.  Teramind would advise consultation with legal counsel or an attorney for advice and legal opinion on specific legal issues.