Data Loss Prevention (DLP) tools detect the unauthorised transfer of data outside of organisational boundaries. They help organisations to take action when sensitive datasets are being transmitted to places where they do not belong. Consequently, the potential benefits of such tools are considerable.
However, as in other cases, there is a tension between security and privacy. DLP tools are often inherently privacy-intrusive. Using content inspection and contextual analysis, DLP tools may monitor individual employees’ network use, file storage, and their communications (including emails and IMs). In so doing, personal data (as defined by data protection laws) is processed.
Why conduct a privacy assessment?
Many data protection laws – including, for example, the GDPR – require organisations to carry out a ‘privacy assessment’ or ‘data protection impact assessment’ (“DPIA”)when using new technologies that carry an enhanced privacy risk.
Employee monitoring – i.e., the use of technologies such as DLP tools to monitor the activities or behaviours of employees – is a typical example of a potentially high-risk activity that would require the completion of a DPIA.
In addition to legal compliance, DPIAs also have practical benefits. Through data mapping, a DPIA allows an organisation to document a clear understanding of the types of data being collected, processed and stored by a DLP tool. Further, by investing in understanding and mitigating privacy risks to employees, the completion of a DPIA can help to support the trust-based relationship between employer and employee. This is particularly the case where the organisation implements a degree of employee consultation and feedback into the DPIA process. Ultimately, this can also help to mitigate against the risk of complaints and claims.
Finally, a DPIA provides the organisation with the opportunity to examine the benefits and rationale for the DLP tool. As part of the requirement to show why the processing of employee personal data is necessary and proportionate, the organisation is required to consider why, and in what way, it wants to deploy the tool. This process can help to identify improvements or efficiencies in deployment of the tool.
What should a privacy assessment cover?
First, a DPIA should map how and why the DLP tool processes personal data, including how data is collected, used, stored and deleted as well as its source and details of data sharing undertaken. Both internal and external recipients of the data should be identified. When documenting data mapping, diagrams can be an effective visual aid.
Additionally, the scope of the processing should be assessed, including: the nature of the data; whether sensitive data is included; methods and frequency of data collection; retention periods; the number of individuals affected; and the geographical area covered. In a DLP context, the scope of potential data processed may be broad – for example, a DLP tool that scans incoming and outgoing emails could, in theory, process almost any type of personal data. However, in this context it is also important to differentiate between data types that the DLP tool is ‘looking for’, data types that may be captured, saved or reviewed by a human being, and data types that are merely the subject of automated scanning.
Next, the privacy assessment should describe the purposes of the processing, such as what the organisation’s aims and objectives are, the intended effect on individuals and the benefits of the processing for the organisation more broadly. If possible, these should be defined in concrete terms, and linked to the particular characteristics of the organisation. For example, a pharmaceutical company may have identified a specific need to prevent the loss of sensitive IP in certain parts of its business, and a particular DLP tool may be an effective means of achieving this purpose.
In terms of compliance and proportionality measures, it is important for privacy assessments to consider in particular:
- the legal justification for processing employee data (in some jurisdictions it may be possible to rely on employee consent, in other jurisdictions, a legitimate interest of the company may need to be identified);
- whether there are alternative methods to achieve the same outcome (whether this is less intrusive DLP tools, or alternatives to DLP tools altogether);
- the prevention of function creep (how will the organisation ensure that data collected by the tool is not used for new, unauthorised purposes);
- how data quality and data minimisation are guaranteed;
- how individuals’ rights will be supported (how will employees understand that DLP tools are being used, will they be able to access and challenge information collected about them by the tool);and
- data localisation and data transfer restrictions which may impact where the DLP tool resides and how data processed by the tool can be shared.
Once these aspects have been examined, the assessment can move on to identifyany other miscellaneous privacy risks. For each risk identified, the DPIA should consider: (i) whether a solution can be identified; and (ii) whether the effect of that solution is to eliminate, or reduce, the risk. Where risks remain (even if they have been reduced) the business must then decide whether, on balance, to implement the tool, notwithstanding the residual risks (i.e., can these be ‘risk accepted’).
Common privacy enhancing solutions that may be identified through a DPIA include:
- clear notice to employees that explains to them how and why DLP tools are used, and how information collected by a DLP tool might be used in a way that impacts the employee (e.g., in the context of disciplinary action);
- strict role-based access permissions to ensure that the data collected by the DLP tool is only available internally on a need-to-know basis;
- regular auditing of the use of the DLP tool to ensure that its outputs are only being used for purposes identified as necessary by the DPIA (i.e., there is no scope or function creep).
DLP tools offer huge potential benefits to organisations, particularly those that hold large volumes of sensitive information. Ensuring that a thorough privacy assessment is completed will help an organisation to successfully navigate the balance between effective security, respect for employee privacy, and compliance with applicable laws.