GDPR

Are you letting GDPR’s privacy rules trump security?

An extreme approach to protecting privacy can actually make personal data less safe. Don’t overreact.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

When incident detection vendor SecBI found suspicious activity on company devices at one of its clients, they passed on the data with the expectation that the client, a large European enterprise, would investigate further. That didn’t happen. The client’s security team was not allowed to look at the data due to privacy concerns.

A contract with the company’s employee union prohibited anyone in the organization from looking at employees’ personal data (e.g., browsing data, banking transactions, or healthcare provider interactions) stored on their work computers, even though they were owned by the company. Although SecBI’s data indicated possible bad behavior on the part of an employee, the company did not have sufficient cause to investigate under the terms of the union contract.

Here’s the kicker: The union used language from the EU’s General Data Protection Regulation (GDPR) in its contract with the company to keep it from accessing employees’ personal data on company devices. That put the company’s security team, itself part of the union, in an awkward position: The data showed a potential threat, but they could not confirm the threat without breaching the union contract. If there indeed was a data breach, they risked breaking the GDPR’s 72-hour reporting rule.

“This organization has a security operations center. It has tools and sensors to capture log data coming from the various devices deployed or assigned to employees, but the people in the SOC are very restricted from looking at the data being collected that is necessary to do their job, whether some laptop is compromised or somebody is misbehaving in a way that might pose a risk to the organization,” says Alex Vaystikh, CTO and cofounder at SecBI. “The organization is now struggling to balance between the privacy and the [GDPR requirement] to find and disclose compromise within 72 hours. They have a chicken-and-egg problem.”

The lesson here for every company struggling to meet GDPR compliance: Protect privacy, but don’t weaken your ability to detect and respond to threats in the process.

“A lot of people have a misconception about the EU standards even now for conducting appropriate reviews, monitoring, and following up on suspicious activity,” says Joan Antokol, founder and managing partner at Park Legal LLC and a member of the International Working Group on Data Protection in Telecommunications.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.