It’s been a very long week ushering in the infamous and inevitable May 25th GDPR enforcement go-live date. I’ve been calling this day “MayDay”.
May 25th 2018 is going to feel like a Y2K moment to me, all over again. We worked very hard over many months to complete all the code rewrites, patches, checklists, and other prep well in advance of the midnight clock-tick, yet my team and I still spent New Years Eve 2000 in the data center with one eye watching computer screens and the other eye watching the TV showing all the successful ball drops across the globe and nary a global catastrophe in sight.
The difference between Y2K and GDPR MayDay is that Y2K came and went.
Based on what I’ve heard this week, I think some legal and compliance teams might be overreaching a bit due to an abundance of caution, or they are stretching their interpretation of the language in this law. There is indeed a lot of room for misinterpretation since there are a great deal of broad and vague statements in GDPR.
Below are the most popular (but generalized) questions of the week.
- What about a company’s file shares which contain working documents, presentations, emails, spreadsheets that were authored by EU persons while employed in the company (active or terminated)
- What about company security and event logs? Most logs contain generic event information (such as successful and failed login attempts, web-trends information, appropriate usage monitoring, etc.)?
- What about company email addresses of former employees? I ask for an example… I hear, say you have a high-profile sales rep that quits. We use the former employee’s email address as an alias which directs the email to the sales manager so the manager can interact with the client and not lose potential business just because the sales rep decided to quit.
Since these questions were so very similar in nature across at least ten or more clients, I think there are probably others out there with very similar questions/concerns. Hence, I thought it might be beneficial to use this opportunity as a way to provide some one-to-many feedback.
Obviously, your compliance and legal departments own the “compliance problem” as well as the decisions for how to interpret laws and regulations, but let’s put the relevant parts of GDPR into context so that you can interact with those teams in a constructive manner.
GDPR: The Right to Erasure
GDPR and Your Corporate Security Event Logs
This is a considerably popular topic. When a company’s servers capture failed and successful login attempts, IP addresses, and other diagnostic information within security log files. This data is generally never going to be used beyond the purpose of tracking and responding to security incidents, but it must exist for investigating incidents. Therefore, there is no reason to obtain consent.
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
Hence, you are not required to obtain consent to collect this information because it is considered business critical and used for fraud prevention.
You should routinely purge unnecessary log files, or encrypt the archives if you are required to retain them, but you needn’t take special action beyond that.
Involve your Human Resources department
Regarding the work to implement processes such as:
- gaining employee consent within your intranet portal or other electronic corporate systems,
- being transparent with your employees about your security logs, and more importantly their purpose,
- transparency that you have a legitimate legal grounds for refusing to delete former employees’ “first and last names” that typically get tagged to corporate word docs, presentation, excel, etc,
You can treat all these issues through your Human Resources organization rather than implementing technical/IT fixes for these; just include these details in an updated employee handbook and request these consents in a written form. Remember that expressed, unambiguous consent can be freely given in written, verbal, and electronic forms
Hope this helps,
PS: If you need help getting up to speed, check out our complimentary GDPR alignment session!