As the May 25th, 2018 GDPR enforcement date approaches, more and more companies are actively taking steps to find, evaluate, and protect the personally identifiable information (Personal Data) of EU persons. Organizations that do business with EU persons are conducting data protection impact assessments (DPIAs) to find Personal Data under their control. Many are also asking “do we need to keep the data?” and putting into practice data minimization principles. These are good measures to take.
IT and privacy professionals are inventorying HR, CRM, CIAM, and IAM systems, which is reasonable since these likely contain Personal Data. Administrators should also consider performing DPIAs on security solutions.
Security solutions such as SIEMs, EMMs, and Endpoint Security/EDR tools collect lots of data, including Personal Data, for analysis. Many of the following types of Personal Data (as defined by GDPR) are routinely harvested for ongoing security and risk analysis:
- Username
- Email address
- User attributes, including organizational affiliations, citizenship, group membership
- IP address
- Geo-location
- User-created data files
Most security solutions allow options for on-premise analysis or cloud-based analysis. As an example, most anti-malware products "scoop up" files for deep inspection at the vendor's cloud, which may be outside of EU. Some vendor solutions are configurable in terms of what attributes can be collected and/or sent elsewhere for analysis; some are not.
Any processing of Personal Data is controlled under GDPR. The definition of processing is so wide that it likely includes these forms of scanning and analysis
In light of GDPR, one question administrators should ask “Is this information collected with user consent?” In some cases, user consent will be required. However, according to GDPR Article 6, personal information collection may proceed for the following purposes:
- for the performance of a contract or legal obligation;
- to protect the vital interests of the data subject;
- for a task in the public interest;
- or where processing is necessary for the legitimate interests of the controller.
Moreover, there will be situations in which Personal Data may be processed by more than one Data Processor. In these joint-processor scenarios, all entities involved in processing share responsibility for ensuring that the use of Personal Data is authorized under one of the GDPR-specified purposes above.
Security administrators should work with their DPOs and legal team to address the following additional points:
- Determine which of your deployed security solutions collect which kinds of data; in effect, do DPIAs on security solutions.
- Ascertain where this data goes: local storage? Telemetry transmitted to the cloud? If so, does it stay in the EU? Could it go outside the EU? GDPR defines the notion of data protection adequacy with regard to countries and organizations outside the EU. The Official Journal of the EU will publish and maintain a list of locations for which no additional data transfer agreements will be required.
- If the security scanning or analysis is performed by a third party or cloud provider, irrespective of wherever this is done there must be a written legal agreement as set out in Article 28 (3).
- Do your security solutions permit Personal Data anonymization? GDPR Recital 26 states that data which is sufficiently masked to prevent the identification of the user will not be subject to the data protection mandates. However, SIEMs and forensic tools sometimes need to be able to pinpoint users. Specifically, IP addresses and user credentials are almost always necessary and serve as “primary keys” on which security analyses are based. Within your security solutions, is it possible to mask user data at a high level for external analysis, but leave details encrypted locally, so that they can be unmasked by authorized security analysts during investigations? This is a difficult technical challenge, which is not supported yet by many security vendors. Regardless, even local processing of data elements such as IP address falls under the jurisdiction of GDPR.
In summary, don’t forget your security solutions when running DPIAs. Check with vendors about what information they collect and how it is treated. Work closely with your DPOs and legal counsel to plan the best course of action if you find that remediation or some re-design is needed.