Data Privacy in Your Own Backyard

Similar documents
2018 Edition. Security and Compliance for Office 365

Security and Compliance for Office 365

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Automated Context and Incident Response

with Advanced Protection

Accelerate GDPR compliance with the Microsoft Cloud

Machine-Powered Learning for People-Centered Security

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Islam21c.com Data Protection and Privacy Policy

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Getting ready for GDPR

PS Mailing Services Ltd Data Protection Policy May 2018

MITIGATE CYBER ATTACK RISK

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

GDPR: A QUICK OVERVIEW

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

Altitude Software. Data Protection Heading 2018

building an effective action plan for the Department of Homeland Security

The security challenge in a mobile world

FOR FINANCIAL SERVICES ORGANIZATIONS

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

Cybersecurity Considerations for GDPR

EU General Data Protection Regulation (GDPR) Achieving compliance

ngenius Products in a GDPR Compliant Environment

Google Cloud & the General Data Protection Regulation (GDPR)

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

BIOEVENTS PRIVACY POLICY

Data Management and Security in the GDPR Era

Latest version, please translate and adapt accordingly!

GDPR Workflow White Paper

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

REPORT. proofpoint.com

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

EU DATA PROTECTION COMPLIANCE WHEN SECURING SAAS APPLICATIONS

GDPR. What is GDPR? GDPR is extraterritorial, meaning it applies to any company, processing EU resident data, irrespective of their location.

General Data Protection Regulation (GDPR)

Microsoft 365 Business FAQs

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

The GDPR Are you ready?

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

9 Steps to Protect Against Ransomware

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

GDPR - What does this mean for you? Accelerate GDPR compliance with the Microsoft Services. Konstantin Sviridov Andrey Ivanov.

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Big data privacy in Australia

Privacy Policy of

Privileged Account Security: A Balanced Approach to Securing Unix Environments

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Layer Security White Paper

GDPR: An Opportunity to Transform Your Security Operations

EBOOK The General Data Protection Regulation. What is it? Why was it created? How can organisations prepare for it?

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Make security part of your client systems refresh

Data Protection and GDPR

Best Practices in Securing a Multicloud World

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

To help customers achieve GDPR compliance, Freshchat has introduced the following new features:

SCHOOL SUPPLIERS. What schools should be asking!

Amit Panchal Enterprise Technology Strategist

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.

Information Security Controls Policy

Understand & Prepare for EU GDPR Requirements

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

ADVANTAGES TO INCLUDING Autotask Endpoint Backup IN YOUR MANAGED SERVICES PORTFOLIO

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

General Data Protection Regulation (GDPR) The impact of doing business in Asia

GDPR Update and ENISA guidelines

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

THE RISE OF GLOBAL THREAT INTELLIGENCE

Guide to Cyber Security Compliance with GDPR

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

The CERT Top 10 List for Winning the Battle Against Insider Threats

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

The West End Community Trust Privacy Policy

Privacy Policy. Effective date: 21 May 2018

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

The Problem with Privileged Users

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

GDPR. The new landscape for enforcing and acquiring domains. You ve built your business and your brand. Now how do you secure and protect it?

Securing Your Most Sensitive Data

PRIVACY POLICY TABLE OF CONTENTS. Last updated October 05, 2018

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

Privacy Notice. Lonsdale & Marsh Privacy Notice Version July

GDPR Partner Marketing Campaign Playbook

Overview of Akamai s Personal Data Processing Activities and Role

IBM Security Guardium Analyzer

Proofpoint Enterprise Archive for SEC and FINRA Compliance

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Transcription:

White paper Data Privacy in Your Own Backyard Staying Secure Under New GDPR Employee Internet Monitoring Rules www.proofpoint.com

TABLE OF CONTENTS INTRODUCTION... 3 KEY GDPR PROVISIONS... 4 GDPR AND EMPLOYEE PRIVACY: ARE YOU COMPLIANT?... 4 GDPR guidance... 4 Legal precedent... 4 Watching the watchers: key principles of employee monitoring and privacy... 5 A ban on personal web use is unrealistic... 5 Monitoring must be necessary... 5 If necessary, it should be minimised... 5 It must be transparent... 5 You can t use employee consent to override privacy rights... 5 The rules apply to cloud services... 5 FINDING THE RIGHT BALANCE... 6 The power of isolated browsing... 6 How it helps organizations... 7 How it helps employees... 7 CONCLUSION... 7 LEARN MORE... 7 Data Privacy in Your Own Backyard WHITE PAPER 2

INTRODUCTION To date, General Data Protection Regulation (GDPR) compliance efforts have focused mostly on protecting customer data. But security teams must also consider how the new rules affect the data they collect from their own employees. Many organizations monitor, log and report on workers digital communications. This effort often includes internet usage. It s easy to see why. The web and personal email services are a major source of security threats. Under the GDPR, they re also a potential privacy minefield. Without the right tools and approach, the rules could constrain these efforts and hurt your security posture. This paper summarizes key mandates of the GDPR when it comes to employees personal internet use. It also explains how to stay secure without running afoul of the law. Data Privacy in Your Own Backyard WHITE PAPER 3

KEY GDPR PROVISIONS GDPR replaces the 22-year-old EU Data Protection Directive. At its core, the GDPR aims to put EU residents in control of their personal data. It regulates how their data is: Collected Processed Stored Deleted Transferred Used No matter where it is based, any company that does business in Europe or handles the personal data of EU residents must follow the new rules. Developing GDPR compliance plan is critical. Failing to comply could lead to hefty fines up to 4% of annual global revenue or 20 million whichever is higher. This amount is far higher than any fines that individual EU countries can impose today. GDPR AND EMPLOYEE PRIVACY: ARE YOU COMPLIANT? GDPR rules also apply to your employees privacy in the workplace. Many security programs monitor employee activity on the network, company-owned devices and cloud services. Under GDPR rules, they may become tricky balancing acts for security teams. Under the GDPR, you must weigh your security needs against workers right to privacy. Sometimes security needs win out, limiting employees right to privacy. But even then, your response must be proportional. A monitor-everything approach might seem convenient. But convenience alone would not warrant invading employees privacy. GDPR guidance EU rules governing how you can monitor email and web stem from these edicts: European Convention on Human Rights. Articles 8 and 10 outline a right to privacy and freedom of expression. EU Data Protection Directive. The directive guides EU member states to regulate how personal data is processed. It took effect in 1998. Article 29 Working Party working documents. Relevant guides include Processing of Personal Data in the Employment Context (2001) and Surveillance & Monitoring of Electronic Communications in the Workplace (2002). No matter where it is based, any company that does business in Europe or handles the personal data of EU residents must follow the new rules. Legal precedent Case law stemming from the Convention on Human Rights illustrates three principles: Workers have a rightful expectation of privacy at the workplace even if they use an employer-owned device. The general principle of secrecy of correspondence covers communications at the workplace. This likely includes email and file attachments. Respect for private life includes, to a certain degree, the right to form and nurture relationships with other people. Some of these relationships take place at the workplace. This reality limits employers surveillance prerogatives. 1 Oracle. Accelerate Your Response to the EU General Data Protection Regulation (GDPR). January 2017. Data Privacy in Your Own Backyard WHITE PAPER 4

Watching the watchers: key principles of employee monitoring and privacy The clearest guidance on how organisations can monitor employee communication comes from the Article 29 Working Party. The EU advisory board includes the data protection authority of each EU country, the European Data Protection Supervisor, and the European Commission. The group has provided some guidance through these documents: Working Document on the surveillance of electronic communications in the workplace (WP 55) Opinion 8/2001 on the processing of personal data in the employment context (WP 48) Opinion 2/2017 on data processing at work (WP 249), which complements the previous two documents Here are some highlights. A ban on personal web use is unrealistic A blanket ban on personal use of the Internet by employees may be considered to be impractical and slightly unrealistic. (WP 55) [A] blanket ban on communication for personal reasons is impractical and enforcement may require a level of monitoring that may be disproportionate. (WP 249) Monitoring must be necessary It would only be in exceptional circumstances that the monitoring of a workers mail or Internet use would be considered necessary (WP 55) The legitimate interest of employers can sometimes be invoked as a legal ground, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity. (WP 249) If necessary, it should be minimized To the extent reasonably possible Internet policy should rely on technical means to restrict access rather than on monitoring behaviour. (WP 55) Employers must take the principle of data minimisation into account when deciding on the deployment of new technologies. The information should be stored for the minimum amount of time needed with a retention period specified. Whenever information is no longer needed it should be deleted. (WP 249) It must be transparent Workers need to be informed about the systems implemented both to prevent access to certain sites and to detect misuse (WP 55) Effective communication should be provided to employees concerning any monitoring that takes place, the purposes for this monitoring and the circumstances, as well as possibilities for employees to prevent their data being captured by monitoring technologies. Policies and rules concerning legitimate monitoring must be clear and readily accessible. (WP 249) You can t use employee consent to override privacy rights [I]t is misleading if it (Employer) seeks to legitimise through consent. Reliance on consent should be confined to cases where the worker has a genuine free choice (WP 55) Employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer. (WP 249) The rules apply to cloud services Where employees are expected to use online applications which process personal data (such as online office applications), employers should consider enabling employees to designate certain private spaces to which the employer may not gain access under any circumstances, such as a private mail or document folder. (WP 249) Data Privacy in Your Own Backyard WHITE PAPER 5

FINDING THE RIGHT BALANCE Figure 1 highlights the challenge. You must follow GDPR rules. But you also want to minimize threats stemming from workers personal activity. organizational needs Ensuring staff continue to have personal access to the Web at work Security Needs Cyber threats to the industry are rising requiring increased vigilance. Personal browsing is currently allowed through the corporate browser but represents a growing vulnerability. Companies need to increase monitoring of traffic through the corporate browser to protect assets. The Challenge Privacy Needs European Convention on Human Rights (1953) Principles from Article 8 Workers do not abandon their right to privacy every morning at the doors of the workplace General principle of secrecy of correspondence covers communications at the workplace. This is likely to include email and related files attached Web Access that is Protected and Private Figure 1: Balancing security and employee privacy The power of isolated browsing Fortunately, you don t have to sacrifice one for the other. Web isolation separating workers personal web traffic from your corporate web traffic solves both issues. Proofpoint TAP Isolation allows employees to browse freely and privately in a separate, protected session. It encompasses the same intelligence from our Targeted Attack Protection (TAP) suite of security products. The broader TAP suite stops advanced threats through email, the web, the cloud, and mobile devices. With TAP Isolation, users browse the web as normal. We isolate their activity in a secure, remote container that defends users from high-risk content they may run into while browsing. Users don t notice any difference, and they don t need to install anything. But any unsafe code they encounter stays out of their endpoints and your environment. TAP Isolation separates personal web browsing, including web-based email, from the corporate network. This split stops threats stemming from personal internet use. And by stopping corporate and personal activity from comingling on users devices, TAP Isolation also prevents many compliance issues beyond GDPR. Data Privacy in Your Own Backyard WHITE PAPER 6

How it helps organizations TAP Isolation protects organizations and their staff by separating corporate and personal web browsing. It creates an air gap between business and personal networks, sharply reducing malware, data loss and compliance risks. And by allowing employees to browse privately, it fully complies with GDPR privacy rules. With TAP Isolation, you can restrict access to unsafe websites on your corporate network without having to monitor or block personal web browsing. How it helps employees With TAP Isolation, your people get direct, safe and unmonitored access to the web. Their browsing sessions are secure and encrypted no matter where they re connecting from. They can access websites even if those sites are blocked on the regular corporate network. And they get the peace of mind that comes with knowing: Their personal information will remain private and cannot be monitored Their web activity won t inadvertently harm the organization CONCLUSION GDPR s protection of personal information goes beyond customer data. It directly applies your employees, contractors and vendors. In much the same way it guards consumers privacy, GDPR protects workers personal activity even on your network and devices. Security teams must accommodate workers right to a private life in the workplace. They must also safeguard the enterprise. TAP Isolation helps ensure that your security programs do both. LEARN MORE To learn more about how TAP Isolation can help you balance security and employee privacy, visit proofpoint.com/us/products/targeted-attack-protection-personal-webmail-defense Data Privacy in Your Own Backyard WHITE PAPER 7

ABOUT PROOFPOINT Proofpoint, Inc. (NASDAQ:PFPT), a next-generation cybersecurity company, enables organizations to protect the way their people work today from advanced threats and compliance risks. Proofpoint helps cybersecurity professionals protect their users from the advanced attacks that target them (via email, mobile apps, and social media), protect the critical information people create, and equip their teams with the right intelligence and tools to respond quickly when things go wrong. Leading organizations of all sizes, including over 50 percent of the Fortune 100, rely on Proofpoint solutions, which are built for today s mobile and social-enabled IT environments and leverage both the power of the cloud and a big-data-driven analytics platform to combat modern advanced threats. Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. www.proofpoint.com 0418-018

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback