Incydr - Insider Risk & GDPR

"(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);"

 

What does that mean?

• For companies processing employee data, the lawful basis typically comes from "performance of a contract," "legal obligation," or the catchall, "legitimate interests."
• The company needs to be transparent about the who, what, where, when, why, and how of its collection.

"(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);"

 

What does that mean?

• Companies need to fully understand the reason they are collecting data and then only use the data they collect for that purpose.

"(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);"

 

What does that mean?

• Don't collect more data than is needed for the purpose(s) outlined in the Purpose Limitation principle above.

"(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);"

 

What does that mean?

• Personal data needs to be kept up to date or destroyed.

"(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);"

 

What does that mean?

• Personal data should not be kept longer than necessary for the specific purpose it was collected.

"(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

 

What does that mean?

• Personal data needs to be protected from internal and external risks.

"2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)."

 

What does that mean?

• Companies need a way to prove they have been adhering to the first six principles.

 

HR is tasked with reinforcing the culture of the organization, and a company compliant with GDPR needs to have data protection engrained in its culture.
HR will also work closely with Legal to create an Employee Privacy Policy. These policies outline the company's approach to protection of its resources, including its most-important resource: employees.
HR should also receive regular training on appropriate access and use of employee data.

 

IT is typically involved with configuring and maintaining the business systems that collect employee data, including managing controls and access. IT should be aware of compliance requirements, and receive training on appropriate access and use.

 

Security will be in charge of inquiring and investigating events of insider risk that may be in violation of the Acceptable Use Policy, which they will lead creating. Playbooks should be created to adhere to privacy requirements (set forth by HR and Legal) from initial inquiry through response and take into account checks and balances to maintain integrity and confidentiality. Security should receive training on appropriate access and use.

 

Depending on the company, Legal, GRC, and Privacy might all be the same department or they could be separate. Regardless, these teams are all in charge of understanding the requirements of and risks to personal data compliance, as it affects the company.

The company should define why and what data needs to be collected from employees and what gives them the lawful right to collect/use it. For employee data, the lawful basis is usually "performance of a contract" or "legal obligation."
When it comes to insider risk protection, the following purpose is a good place to start.

Visibility into all of an organization's data events to/from company resources to protect against loss, leak, and theft.

Incorporating diverse stakeholders across the organization in these conversations will help the company make sure they are minimizing any blind spots when it comes to assets and requirements.
Collecting data events as part of an Insider Risk Management (IRM) program can help organizations do so in a documented, consistent, and fair manner.

For transparency, companies need to be transparent about the entire lifecycle of the data collected from their employees including:

1. What data the company is collecting
2. What the company is doing with the data

By having appropriate policies and communications in place that are readily available, employees can get the transparency they need, which helps to build trust within the organization and ensures they (the data subjects) are aware of their privacy rights.

After defining the business purpose to collect employee data, the company must:

• Only use the collected data for the intended purpose.
• Implement policies that document what and why data will be collected and how it will be used.
• Communicate the purpose to the employee base and how the data will be used.

A best practice is for companies to create a "hub" of these policies and communications in their internal documentation so it is readily accessible for employees.
Ultimately, it goes back to the first principle: transparency is key.

For example, if file event data is collected from all endpoints for the legitimate interest of watching for file exfiltration, the organization can't decide later on to use that data for productivity monitoring of employees. If productivity monitoring is a requirement, the business has to go through the process again to define the legitimate interest.

Data minimization follows the intended purpose of the collection and use. If the purpose of an IRM Program is to protect the company from data loss, leak, and theft, any technology or collection methods must collect only the data needed for that purpose.

For example, monitoring exfiltration events from a company asset may be in scope, but collection should be limited to company assets–tracking someone's personal device that is only being used for personal use would be out of scope.

In conjunction with storage limitation, data minimization also includes limiting processing of data only to that which is relevant for the specified purpose and removing the ability to process data that is no longer relevant. In other words, event data retention limits will also minimize data.

When it comes to insider risk, it is important for organizations to have up-to-date information on all of their employees, contractors, and vendors. Any time this is out of date, the data subject should be able to update this information. Policies should be put in place for how to make the change or put in a request for a change.

Personal data should be deleted or anonymized once it no longer serves the purpose (unless there is a legal basis for retaining it). Policies and procedures should be implemented that define the length of time data can be kept to satisfy its purpose. IT, Security, and Legal should work together to determine the appropriate storage limitation for each purpose.

Companies need to create policies and procedures to protect and maintain the protection on any collected data. These will include policies on encryption, multi-factor authentication (MFA), and software updates.

To keep personal data the company is holding secure, the company should ensure it has measures in place to protect against both external and internal risks.

When it comes to mitigating insider risk, administrative controls, such as training on appropriate data use, and physical controls, such as secure access, may also need to be implemented to remain compliant with this principle.

A "supervisory authority" is responsible for monitoring compliance with GDPR in each member state. Companies should maintain detailed documentation of how the company is adhering to the first six principles and be prepared to show this documentation if/when they are audited.

In order to ensure all of an organization's data is protected, Incydr monitors endpoint/cloud data for all employees. For Incydr Professional, Enterprise, and Horizon product plans, Incydr only collects endpoint files that have been exfiltrated. If any collected data is not part of a security event/case, it will automatically delete after the product plan's retention period. File events and contents are only retained if there is a security reason to keep them.
Incydr uses inferred trust to track data going from a corporate source to an unmonitored device, which minimizes the need to collect data from a personal device while still protecting corporate data.

If enabled, Incydr can sync employee information from a configured SCIM tool to provision users within an Incydr environment and maintain information (such as first name, last name, and department) via identity management. Using an identity provider as the "source of truth" makes it easier to maintain accuracy across tools including Incydr and Instructor.

For general file event and content collection, Incydr has a secure-by-design storage limitation that varies depending on the particular product plan, which deletes collected events and files after the period expires. If file events/contents are needed for an investigation, Incydr includes tools for case management, which allows for retainment of events attached to a case for longer than the default retention period.
For file events/contents in a case, Incydr has automatic case archival, which also has a variable timeframe depending on product plan. Once a case is archived, the attached file events and contents are permanently deleted, but the case notes and information are available for auditing.

Incydr's role-based access controls (RBAC) help companies ensure the integrity and confidentiality of data and investigations to help prevent and protect against unauthorized access or unapproved use.
If using automation or interacting from the command line, Incydr's API Clients allow granular permissions for any specific task.
See our other articles, for a more-detailed breakdown of Incydr's architecture and our Security, Privacy, and Compliance for even more information.
Part of maintaining the appropriate confidentiality of files collected by Incydr is to have a standard operating procedure (template available in Additional Resources) outlining under what circumstances the investigation team can request access to those files, the approvals required, and the erasure of the content at the conclusion of any retention period.

Incydr includes an Audit Log, that tracks events and changes throughout the Incydr environment and can be used to "watch the watchers."

The answer is True.

The answer is 7.

The answer is 2, 3 & 5.