The part that employee threats play in GDPR compliance. Two Year GDPR Anniversary Edition: Balancing compliance and employee monitoring.
In April 2016, European legislators passed the General Data Protection Regulation (GDPR) and announced that it would become enforceable in May 2018. With less than 24 months to get their acts together and avoid hefty fines, organizations scrambled to prepare for compliance. Data breaches have unfortunately become the norm over recent years, and the legislation was formed to better regulate and hold these companies accountable for protecting individual privacy rights.
In 2019, which has been described as the worst year ever for data breaches, 15.1 billion data records were exposed. Data breaches take the form of both accidental leaks and deliberate acts of theft. They are caused by both malicious insiders and external actors, as well as employee accidents – each of which can have unique implications in relation to compliance. Insider threats, in particular, are a serious concern: A 2019 survey found that 79% of firms believed that employees had accidentally placed sensitive data at risk. This not only causes concerns on the security front; data privacy is also a concern. The actions of trusted insiders and employees can negatively impact data regulated by GDPR and other laws when misused.
Adding to the pressure companies already face, customers expect businesses to take data protection seriously. A 2019 Cisco survey on consumer privacy attitudes, showed that 84% of consumers care enough about privacy to “take action”. It is within a landscape of technological advances, increasing security issues, and consumer expectations around privacy, that the EU Commission decided to update the earlier, Data Protection Directive 95/46/EC or DPA(2) and bring into law, the General Data Protection Regulation (GDPR).
Now, two years later, what has happened with regards to GDPR, and how do employees fit within the framework? Part one of this article explores the current state of GDPR. Part two looks at ways to meet compliance and protect employee’s data rights while balancing the need to monitor user activity and protect against data breaches.
79% of firms believe employees accidentally exposed sensitive data to risk. – 2019 Egress Survey
Part One: The Current State of GDPR
GDPR officially entered the business landscape on May 25, 2018. The build-up to the enactment of the law was, at times, a flurry of firms getting their planets aligned for the incoming legislation. Since then, there has been a continued attempt to maintain or even meet compliance.
GDPR places personal data at center stage. Any firm that comes under the wide-scope jurisdiction of GDPR has to do so within the guide rails of the regulation. The definition of personal data under GDPR is any data that can be used to identify an individual. Article 4 of the GDPR defines personal data as… “any information relating to an identified or identifiable natural person (‘data subject’)”. GDPR also sets out classes of data, some more sensitive than others, and therefore requiring greater levels of protection.
In March 2020, the European Data Protection Supervisor (EDPS) annual report, identified that almost 90% of reported GDPR data breaches during 2019, were of the type, “confidentiality breach” – the vast majority due to human error. With large fines looming for GDPR non-compliance, getting to grips with this aspect of cybersecurity is essential. Some companies have been able to adapt quickly, while others continually struggle to keep up.
What’s Happened: GDPR Events of the Last Two-Years
A lot can happen in 24 months. Here are highlights on a few aspects of GDPR that have impacted businesses.
Data protection has shifted business operations
GDPR compliance is a challenge for any company. The regulation is not a tick box exercise but a process involving in-depth assessment of systems and services. The regulation sits on six pillars that provide the support for lawful bases to process data. These bases are covered under Article 6 of the GDPR. Within this framework are eight data subject rights that the GDPR states must be upheld when processing data. These cover a multitude of requirements, many of which involve fundamental changes to existing operations. Within this, there are also a number of changing goalposts. For example, there has been a recent guidance update with regards to the application of ‘consent’ “Guidelines 05/2020 on consent under Regulation 2016/679”.
Compliance with GDPR has changed the face of organizations in a number of ways, including:
- B2C marketing: GDPR requirements on consent when collecting and processing data have challenged marketers. Consent in this context means having a lawful basis for processing data. A 2019 study from the UK’s Data and Marketing Association (DMA) found that 82% of participants believe their workplace has a ‘Good’ or ‘Moderate’ understanding of the GDPR. The survey also found that almost half of the firms believed GDPR improved customer trust in data handling, and marketing overall has been boosted.
- B2B marketing: Business data is impacted by GDPR only when that business data is deemed to be personal. The lawful basis of ‘legitimate interest’ applies. This means that data should be processed based on the commercial interests of the subject.
- HR and employee data: There are requirements in GDPR which directly affect data processing, recruitment, and contracts regarding personnel. The eight data subject rights, which include the right to access, rectify, move, and erase data, are applicable to employees as well as customers. The aforementioned recent GDPR guidance update around consent, also recognizes that employees and consent can result in a power imbalance. The guidance states that the dependent relationship between employee and employer means that consent as a legal basis cannot be relied upon as the sole basis for processing data in an employment context.
- Customer data: The full weight of GDPR applies to customer data processing. This means that unequivocal and freely given consent must be taken. In addition, the eight data subject rights need to be facilitated. This can mean updates to everything from user interfaces and user account management features, to telephone processes, and more.
Breaches and notifications exceed 100,000
The GDPR gives an organization 72 hours to notify a supervisory authority of a data breach, according to Article 33. Research by law firm DLA Piper, found that between the date of enactment of GDPR and January 2020, there were 160,921 personal data breach notifications. To date, there have been a number of very high-profile data breaches that have come under the watch of the GDPR. Examples include British Airways and Marriot Hotels.
Cumulative GDPR fines exceed half a billion dollars
GDPR fines are onerous. One way to help reduce fines, if an organization finds itself in non-compliance, is to demonstrate via documentary evidence that compliance has been attempted. There are two levels of fines under GDPR:
Level 1: This level covers data breaches and non-performance of a data protection impact assessment (DPIA). The fine is 2% of annual global revenue or 10 million euros, whichever is higher.
Level 2: This level covers the application of the GDPR requirements, such as applying consent and data subject rights. This fine is set at 4% of annual global revenue or 20 million Euros.
Between May 2018 and May 2020, Cumulative GDPR fines have reached 467,476,268 euros or over 500 million dollars.
Another area causing concern is the relation of employees to GDPR. Employee insider threat is an area that requires careful monitoring, as illustrated in the Morrisons breach. An ex-employee of the firm unlawfully shared personal data of 100,000 Morrison workers. While the breach happened in 2015, under GDPR rules, the firm would be open to a civil lawsuit, backed by GDPR legislature, as well as a non-compliance fine.
The next section looks in more detail at this complex area of GDPR compliance.
Part Two: The delicate balance of employee threat prevention and GDPR compliance
While external threat prevention is fairly straightforward in terms of measures, insider threats can result in contravention of GDPR. Security threat types are well-known and external actors tend to take advantage of tried and tested tactics such as those outlined in industry watchdog, OWASPs Top Ten Web Application Security Threats. But insider threats causing data exposure, are often either accidental or well-planned out and obfuscated. Both malicious and accidental insider threats can be difficult to detect because of the insidious nature of the crime.
However, the rights of the individual employee and the rights to consumer privacy are a fine balance that must be met. The latest guidance on consent from the EU Commission recognizes that consent is complicated by a power imbalance. The guidance gives several examples of the use of consent within a work context that can help to establish a legal basis for processing employee data. Understanding this and documenting mitigation processes, such as monitoring, will help to comply with the regulation. This is crucial in tackling the insider threat of data exposure that would otherwise leave your organization outside the bounds of wider data protection obligations.
The Insider Threat Reality
Insider threats are of real concern: A 2019 study found that 60% of IT leaders expect to suffer a data breach in the coming 12-months. This contrasts with 55% of employees who do not believe they are given the right tools to prevent a data leak. Interestingly, the study also found that almost one-third of employees believed they had rights over the data they worked on.
In addition to the accidental dangers associated with employees and data leaks, malicious insiders are also a threat. For example, a number of instances of job ads looking for bank employees to illegally access bank accounts and carry out bank transfers were found on the dark web. A critical component in managing insider threats is detection. This is especially difficult in the connected enterprise which uses cloud computing, allows employees to use their own devices, and now includes thousands of employees working from home. Data leaks can happen at any juncture, and monitoring employee activity is a way to spot potential exposure before it becomes a GDPR matter.
Behavioral monitoring and next-generation data loss prevention tools are increasingly used to help prevent insider threats. The “Insider Threat Report”, found that 88% of organizations expect to use some method of monitoring users. How to achieve this, while ensuring the preservation of employee rights, is an essential aspect of GDPR compliance.
Monitoring vs. Employee Data Rights
Organizations have a duty of care to both their employees and to the privacy of their wider audience. Being able to spot a threat that comes from within the organization is a must-have. This has been tested in court. In a recent ruling, the European Court of Human Rights (ECHR) in the case of Barbulescu v Romania, found that companies should be allowed to monitor employees’ private online communication. However, the ruling added a caution to not blanketly apply the ruling but to take steps to achieve a balance. It is this balance in mind that needs to be applied to employee monitoring as this measure can help support your GDPR compliance endeavors.
How Employee Monitoring Can Support GDPR Compliance
Employee monitoring has been widely used for threat detection and prevention, especially in highly regulated industries, such as banking. The legislators behind GDPR know that companies must maximize their operations while balancing data privacy. The regulation highlights the need for companies to detect fraudulent or otherwise privacy impactful behavior. It also makes provision for employee monitoring as a means to mitigate insider threats. To balance this need with privacy requirements, Recital 71 of the GDPR sets out the conditions for monitoring that can be applied to employees as well as more general data subjects.
Done correctly, employee monitoring can be a powerful way to demonstrate compliance and even alleviate fines.
Steps to Getting Employee Monitoring Right
Follow these steps to weave employee monitoring into your GDPR program:
- Know your data (including employee data) – Know what data you have, where it resides, and how it is processed. Some data is classified as ‘sensitive’ under GDPR. Make sure you classify your data by mapping it to the GDPR.
- Map to GDPR requirements and data subject rights – Continue the mapping process to establish data subject right compliance. This allows you to establish where consent is required and if ‘legitimate interest’ can be used.
- Have a policy that represents data and GDPR clearly – Set out areas that can be used to cover employee monitoring, include:
- legitimate interests
- the legal basis
- notice to monitor
- transparency and trust
- Use a Privacy Impact Assessment (PIA)/ Data Protection Impact Assessment (DPIA) to assess systems and processes
5 Best Practices When Monitoring Employees Under GDPR
Balancing the need to monitor employees for insider threat prevention, while adhering to GDPR, requires a best practice approach:
- Give clear reasons for monitoring and specify what is expected behavior.
- Have a policy on monitoring and employee privacy – including limits on monitoring to establish a level of trust.
- Be transparent about when, why, and who is being monitored.
- Use best in class solutions, like Veriato Cerebral, that balance privacy with monitoring alerts and data.
- Involve industry bodies, unions, etc. where appropriate.
GDPR can be a compliance challenge. But it also offers a great way to improve relationships with customers and employees. To establish a commitment to data privacy, firms need to engage their employees. This includes ensuring that both accidental and malicious data threats are spotted before they become a non-compliance issue and eventually, a data breach. Employee monitoring offers a way to plug a gap in the security of data. Used under the guidance of GDPR advisories, monitoring can be both less intrusive and an effective form of data privacy control.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.