Weighing Privacy with Security Under GDPR

By: Mark McGlenn | 11/8/2018

Weighing privacy and security has long been a delicate balancing act. With the adoption of GDPR this year, the scales have again shifted and the stakes for failing to get it right are dramatically higher. This is especially true as other similar data protection mandates continue to evolve around the globe like PIPEDA in Canada and new regulations being debated in Australia, Brazil and just about every state in the U.S.

Generally speaking, GDPR stresses prevention over detection. For example, an organization should prioritize blocking employee access to certain websites or tools over continuously monitoring employee communication. Continuous monitoring, under GDPR, is considered overly invasive and an encroachment to an employee’s privacy.

GDPR also requires organizations conduct regular Data Protection Impact Assessments (DPIA) as a way to help identify threats to the privacy rights of EU citizens. Beyond just identifying the potential threats, organizations must also build effective responses to threats the DPIA identifies. Technical controls such as encryption and personal data anonymization are most common and these types of responses address both customer and employee data privacy concerns as well as secures an organization’s IP, finances and much more.

IT Asset Management

The problem for most IT departments who are attempting to comply with GDPR or any other privacy regulation for that matter, is you can’t secure what you don’t know you have. Fortifying your network with your very best data protection efforts are largely wasted if you’ve got a single endpoint in the wrong hands with inadequate protection. Thoughtful asset management that includes an inventory of devices, who they are registered to, and what that user has access to is the first step in effective data protection.

The mechanics of securing the vast amount of data across all those devices must also be aligned with privacy concerns and that gets trickier still.

When it comes to managing your data and devices, IT should be enforcing policies already put in place by organizational leadership. Acceptable use and/or device use policies should be established by leadership and then effectively communicated by IT. It’s important to have a clear understanding among all stakeholders what data must be tracked.

For example, say your policy says devices aren’t supposed to leave a pre-defined range. A laptop just doesn’t drift out of range on its own, rather an employee might unwittingly take a device with them when they travel. And that laptop grants access to both employee records and customer lists. In this scenario, that employee must first know the policy of where that laptop may be taken – awareness is one layer of protection. Then, geolocation alerts may be set up for when that device leaves the acceptable range so IT knows it’s gone. As a final step, your asset inventory should tell you if the out of range laptop contains sensitive data that must be protected.

Under GDPR, you likely wouldn’t use geolocation alerts all the time – constantly monitoring the location of the laptop (and therefore the employee) would be considered invasive. But alerts, as per policy, do help maintain security of the data and device. This is an example of the concept of proportionality, or weighing the risk of harm to an individual with legitimate purpose.

There are technical solutions that can help you validate that your organizational policies are working as intended. Absolute Reach allows you to create and execute fast asset management queries to speed inventorying and audits and execute custom remediation actions to address vulnerabilities and threats when needed.

How protected are your endpoints? Do you know? Get a free evaluation of your endpoint exposure with this quick assessment.

Financial Services