In the first part of the series, we talked about how you should implement employee and customer data privacy protection by setting up Teramind’s monitoring features properly and by utilizing its flexible policy and rules engine. In this second and final part of the series, we will cover how Teramind can assist the Controller, DPO and their representative with compliance accountability when it comes to handling personal data, record keeping and breach reporting obligations. We will demonstrate this with some use cases for Article 30, 33, 34 and 38.
GDPR Article 30: Records of processing activities
Article 30 requires that each Controller or the Controller’s representative, shall maintain a record of processing activities. Some of the other record keeping requirements of the Article are:
- Contact details (profiles) of the Controller, joint-Controller, DPO and their representative(s);
- The purposes of the processing;
- Categories of data subjects and data;
- Any data transfer to third countries;
- Demonstrate technical and organisational security measures.
While the Article mentions that some of these obligations aren’t applicable to companies with fewer than 250 employees, there are other conditions that can supercede that exception. For example, if the processing is likely to result in a risk to the rights and freedoms of data subjects the 250-employee cap will not apply.
Here’s how Teramind for GDPR can help with these requirements:
Teramind has built-in profile management features where you can keep track of the Controller, DPO and even any external consultants. You can assign them access levels for monitoring and auditing purposes.
To create a new use profile, click the Employee tab from the dashboard. You can then Add, Edit or Import new employees or external users.
Teramind also integrates with Active Directory. You can use its LDAP feature to import your users, computers, groups, attributes and other important meta-data.
Record of data processing at user level:
Teramind keeps track of all user activity for 12+ objects including apps, websites, files etc. Teramind for GDPR can help the Controller and the DPO identify this information and record who’s accessing what data, and how the data is flowing through the organization.
For example, you can click the Monitoring tab and view individual reports for each data category such as File Transfers, Network etc.
Record of data processing at system level:
In addition to the User logs, Teramind also has a System log to keep track of all administrative activities by date/time, IP, employee and what action they performed, on which object etc. This log is immutable. So, it cannot be tempered with.
To access the System log, select System > System Log.
Data transfer to third countries:
Teramind has a network monitoring component that accepts IP filtering. So, you can, for example, create an ACL list by IP range for EU countries and attach it to a network rule. This way, you can monitor, log or block network traffic for certain activity or data transfer outside the EU.
Check the image for such a sample rule (click to zoom).
Demonstrating security measures:
Teramind is an ISO 27001:2013 certified company. All its products and associated infrastructure follow rigid compliance standard when it comes to technical and organisational security.
Here’s an overview of Teramind’s platform security. A customer can also request our ISO audit report if required for compliance purposes.
GDPR Article 33 and Article 34: Notification and communication of personal data breach
These two Articles are very closely related. Article 33 deals with breach notifications to supervising authority while Article 34 addresses the communications requirements to the data subjects. A crucial part of the notification is the speed at which the notification needs to happen, “without undue delay and, where feasible, not later than 72 hours.” Article 33 also requires that the Controller needs to document such breaches in granular details including any remedial or prevention actions.
Teramind for GDPR can fulfill most of these requirements with its powerful forensic and auditing capabilities:
GDPR Article 38: Position of the data protection officer
This Article states that the Controller and processor shall support the data protection officer in performing their tasks by providing all the resources necessary to carry out those tasks. Some key responsibilities and tasks of the DPO are: advising the Controller on various GDPR initiatives; to monitor the effectiveness of the compliance measures; and finally, to identify any risk associated with data processing operations. The Article also requires the Controller to provide “access to personal data and processing operations” to the DPO.
Teramind provides the necessary tools to support both the Controller and the DPO:
GDPR is a complex legislature, so it’s imperative that you carefully evaluate all your software implementations and not just Teramind’s. Hopefully, this article series will help you identify some of the strictest requirements the law and configure your Teramind deployment accordingly.
Here are some related GDPR articles you can read:
- How to demonstrate GDPR compliance with Teramind: A step by step guide – Part 1
- Employee Monitoring and GDPR: How to Ensure User Privacy by Configuring Monitoring Profiles and Settings: Part 1 and Part 2
- 8 Tips for Implementing Employee Monitoring and Data Loss Prevention Solutions in a Data Privacy and GDPR Governed World
- How to Fulfill Key GDPR Requirements with Teramind
- How GDPR Impacts US Cyber Security Policy
- GDPR Compliance Tips: The Top Experts Speak
- What is GDPR: Who Really Owns the Data in Your Company?
The contents of this article are intended to convey general information only and not to provide legal advice or opinions. The contents of this article should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or situation. The information presented in this article may not reflect the most current legal developments. No action should be taken in reliance on the information contained in this article and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this article to the fullest extent permitted by law. Teramind would advise consultation with legal counsel or an attorney for advice and legal opinion on specific legal issues.