In the past, information security was nearly exclusively a technical task for the IT specialists. Today, information security is the responsibility of many different stakeholders, up to management. It requires an holistic approach combining technical, organizational and contractual measures at all levels of the organization.
Cybersecurity and data dispute has become one of the main risks identified by European organizations and governments. Cybersecurity incidents are becoming more and more frequent, and more and more sophisticated. In addition to regulatory risks, they involve financial, operational and reputational damages.
Attacks do not only target personal data (i.e., any information related to an identified or identifiable individual) but also non-personal data (commercially sensitive data, trade secrets) and infrastructure. Since the Covid crisis, many organizations have moved towards increased remote working, also creating new vulnerabilities in terms of information security.
Many of the sanctions imposed by European data protection authorities for non-compliance with GDPR find their origin in an investigation of a personal data breach notified under Art. 33 of the GDPR.
It is therefore no surprise that organizations are aiming at reducing to a minimum the instances where a databreach occurs, and, if it occurs, limiting instances whereit needs to be reported to authorities (it being noted that, under Art. 33 GDPR, personal data breaches need to be notified to the competent data protection authority(ies) without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless it is unlikely to result in a risk to the rights and freedoms of natural persons).
As indicated by the Belgian Data Protection Authority, it is an illusion to think that all risks can be excluded. Even the best information security system is not immune to unforeseeable events, such as malicious acts, human error, natural disasters, etc. Organizations therefore need to manage those risks as best as they can and keep the residual risk as low as possible. This is exactly what a data loss prevention approach is aiming at, by combining the use of information-security tools and technologies, reinforcing awareness and training of employees, fostering appropriate behaviours, and implementing effective policies, procedures and standards as part of the organization data protection or information privacy programs.
Data security requirements under the GDPR
‘Data integrity and confidentiality’ is one of the key principles that any processing of personal must meet under the GDPR (Art. 5.1. (f) GDPR). It requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”.
In particular, Art. 32 of GDPR “security of processing” imposesto implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, amongst others, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Art. 33 GDPR further imposes an obligation to notify personal data breaches to supervisory authorities (unless the breach is not likely to result in a risk for the rights and freedoms of individuals) and data subjects (in case of high risk).
Data loss prevention and GDPR
While data loss prevention solutions help organizations complying with their legal obligations to protect personal data, and to minimize risks of non-compliance, they will in most cases also involve the processing of personal data, and consequently be subject to GDPR requirements.
This means that organizations need to ensure that the implementation of a data loss prevention solution is notably(i) grounded on a valid legal basis under Art. 6 GDPR, (ii) proportionate, and (iii) transparent.
- In terms of legal basis, it is generally admitted that the implementation of a data loss prevention solution can be based on the legitimate interests[1] of the organization to ensure its network and information security (Art. 6.1.(f) GDPR). However, in accordance with the case-law of the court of justice of the EU, relying on the legitimate interests legal basis requires to meet a 3-step test, as follows : (i) legitimacy test : the interests must be recognized as legitimate,(ii) subsidiarity test: the processing must be necessary to achieve those interests, which means they could not be achieved using less intrusive means, and (iii) balancing test : a balance must be made between the organization’s interests and the data subjects’ interests, taking into account a number of elements, amongst which the intrusiveness of the processing, the potential prejudice/risk for data subjects, the additional safeguards in place[2] and the reasonable expectations of the data subjects.
- In terms of proportionality and data minimization, the organization must ensure that personal data collected and processed as part of a DLP are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; such data cannot be retained longer than necessary for such purposes (storage limitation);
- Regarding transparency, the employees must be informed about all aspects of the processing of their personal data as part of the DLP tool including about their rights in that respect, and also usually includes informing about all aspects of the IT monitoring individually and collectively.
Most of the time, the implementation of the DLP solution will also be regarded as entailing high risks for the rights and freedoms of individuals (usually due to the use of new technologies that monitor the behaviour of so-called vulnerable data subjects, i.e. employees), which also implies that the organization must carry out a data processing impact assessment (DPIA) in accordance with Art. 35 GDPR. If the DLP tool entails any transfer of personal data outside the European Economic Area (‘EEA’) (for example, because the service provider or servers are located outside the EEA), then additional requirements will apply in order to ensure that the transferred data remain subject to a substantially equivalent protection as in the EEA (see Chapter V GDPR).
Lastly, organizations must be aware of labor law implications when rolling out DLP solutions, in particular when it entails the IT monitoring of employees, which is specifically regulated in most EU Member States.
Conclusion
Data loss prevention solutions appear more and more as a ‘must have’ to allow organizations to protect their data and information. At the same time, DLP solutions can only be rolled-out in compliance with specific legal requirements, whether GDPR or labor law requirements. One should indeed always keep in mind that, in Europe, employees benefit from a right of privacy on the workplace, and that policies stating that there is “no expectation of privacy” on the workplace will generally not be valid.
[1] See in that respect Recital (49) GDPR “The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
[2]See in that respect the Guidelines of the Article 29 Working Party : the necessity of the DLP tool and its deployment should be fully justified so as to strike the proper balance between his legitimate interests and the fundamental right to the protection of employees’ personal data. In order for the legitimate interests of the employer to be relied upon, certain measures should be taken to mitigate the risks. For example, the rules that the system follows to characterize an e-mail as potential data breach should be fully transparent to the users, and in cases that the tool recognises an e-mail that is to be sent as a possible data breach, a warning message should inform the sender of the e-mail prior to the email transmission, so as to give the sender the option to cancel this transmission.