As digital transformation continues to multiply pathways to personal data, complete GDPR compliance is getting harder to attain.
Whether you’re a data protection officer or a cybersecurity professional helping your organization remain compliant, this blog suggests advanced GDPR compliance strategies you may not have yet considered - beyond that delightful cookie consent notice we all love.
Learn how UpGuard streamlines Vendor Risk Management >
GDPR Compliance in the Workplace
The General Data Protection Regulation doesn’t just aim to protect the data privacy of consumers; it sets rules for the processing activities of employee data. Surveillance solutions in the workplace are commonly overlooked in GDPR compliance audits, and as AI technology continues to infiltrate this space, the risk of overstepping data privacy limits rises.
Here’s a snapshot of the GDPR’s standards for employee data processing protection outlined in Article 88 of the GDPR:
“...rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context...shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace.”
The call to protect and respect the freedoms of employees should always be front of mind when implementing monitoring technology such as:
- Tracking technology in corporate vehicles
- Video surveillance in offices and data centers
- User activity monitoring of remote employees
- Remote endpoint monitoring
The compliance techniques in the following framework could help address the compliance implications of monitoring initiatives and their associated data-processing practices.
6-Stage Framework for Advanced GDPR Compliance in 2024
What’s a reasonably acceptable standard for human freedom and dignity is a difficult metric to define. Here’s a framework to guide your definition of this standard in your unique business context.
1. Establish proportionate surveillance controls
Cybersecurity teams will likely require some degree of video surveillance, especially when it comes to alignment with frameworks like ISO 27001, which explicitly calls for video surveillance in data centers.
According to Annex A Control 7.4 of ISO 27001, surveillance tools must be implemented to detect intruders entering physical areas without permission.
Learn how UpGuard can help you comply with ISO 27001 >
The concept of proportionality would prevent other regions of the workplace from being subject to the same degree of video surveillance as data centers - areas like office cubicles, meeting rooms, or even bathrooms - an error IKEA regrets.
The same principle applies to data breach mitigation methods. In an attempt to address the leading initial attack vector of data breaches - phishing - cybersecurity teams could risk overapplying employee activity monitoring controls, especially for remote workers. An extreme example is installing monitoring software on an employee’s private phone to track attempts to compromise multi-factor authentication workflows.
Security incident prevention controls shouldn’t be overapplied to the point of risking a personal data breach.
Whether implementing physical surveillance cameras or monitoring software, you must be completely transparent with your employees. Let them know exactly what is being monitored, where the monitoring devices are located, and most importantly, offer a valid reason for monitoring each region. These points should be clearly communicated before monitoring solutions are implemented, either within employee contracts or workplace policies.
As a guideline, all monitoring controls outlined in employee contracts should be limited to processes that are absolutely necessary for the employee to fulfill their contract.
If a significant number of your current or prospective employees are displeased with your monitoring levels and justifications, it could be a sign that you’ve violated the proportionality principle, warranting a reevaluation of your monitoring strategy.
If you cannot provide a valid reason for applying a particular monitoring control, you’ve likely violated the proportionality principle.
2. Don’t abuse your power as an organization
In 2019, PwC, the Hellenic Data Protection Authority (HDPA), fined PwC for GDPR violations, one of which involved using consent as a legal basis for processing employee personal data.
In an employment context, consent should not be used as a legal basis for approval of personal data processing. This creates a significant power imbalance, where employees feel obligated to offer consent to avoid negative consequences.
Consent can only be used as a legal basis for approving personal data processing in an employment context in very limited circumstances.
3. Apply Encryption at Rest when storing employee data
Don’t make the mistake of assuming your sensitive data is safe because it’s protected by multiple information security measures. Every layer of security can be potentially breached, either through software vulnerabilities or human error. As an ultimate precaution, all employee data should be encrypted at rest.
When data is stored using encryption at rest, an adversary cannot read it, even after stealing it in a data breach - not without a decryption key.
However, encryption at rest is only an appropriate security measure if your access keys are managed securely - don’t embed them in your code to streamline AWS bucket connections.
Some suggestions for securely managing access keys include:
- Storing access keys in environment variables for API and cloud service access rather than in code
- Using IAM roles and policies for managing permissions (for more info, refer to the IAM best practices outlined by AWS).
- If using AWS access keys, use the AWS Secrets Manager service.
4. Don’t be so liberal with your privileged access grants
Your Role-Based Access Controls (RBACs) should honestly restrict access to private data to those who absolutely require access to it to fulfill their duties. When correctly applied, a majority of the office shouldn’t be capable of accessing the private data of employees and EU citizen customers.
Learn how to meet the third-party security risk compliance requirements of the GDPR >
Access to the sensitive information of employees and customers should only be granted on a strict need-to-know basis.
As an additional layer of data security, to mitigate the chances of accidental, unauthorized access, consider implementing Dual-Key Encryption (DKE). With DKE in place, for sensitive employee and customer information to become readable, it would need to be decrypted with two keys stored in different locations - one stored locally and the other usually in a cloud computing platform, like Azure. The combination of its double encryption layer and dispersion of encryption keys makes DKE very difficult to compromise and, therefore, an excellent data security control for maintaining GDPR compliance.
Double key encryption is an effective risk management approach to defending against common cyberattacks and dangerous cyber threats like ransomware.
Learn more about Double-Key Encryption >
5. Audit all outbound traffic for sensitive data leaks
Even with state-of-the-art GDPR compliance controls, you could still be leaking sensitive customer data through your IT boundary - either due to insider threats or poor employee cybersecurity hygiene.
To determine whether this is happening, set your Data Loss Prevention (DLP) policies to “report-only” to get a log of all data being transferred out of your network. This monitoring effort will not only confirm whether sensitive customer information is being unlawfully transferred out, but it will also unveil which employees are initiating these transfers, allowing you to implement targeted data protection measures to stem these leaks.
If you’re using the data management tool Microsoft Purview, refer to this documentation for support with implementing this strategy.
6. Ensure your data privacy tool is platform-agnostic
The GDPR mandates that data privacy initiatives cover your entire IT infrastructure.
This includes:
- All operating systems (macOS, Linux, and Microsoft),
- All endpoints (mobile devices, laptops, computers),
- All mobile platforms (iOS, Android, and Windows),
- All potential entry channels (cloud storage, email, file-sharing services),
- The networks through which all data is transferred,
- All potential exit channels (USBs, removable hard drives, email, cloud storage, file-sharing services).
The added benefit of enforcing the portability of a data protection tool is that it reduces your risk of malware injections and, therefore, the likelihood of initiating your breach notification protocols.
The right data privacy tool will simplify your incident response efforts, improve your overall level of security, and enhance trust among stakeholders.
If you’ve already implemented a data security tool, you should test whether it's indeed platform-agnostic. Here are a few suggested testing techniques:
- Install the data security tool across different operating systems and test whether it can be similarly configured across all platforms without limitation.
- Test whether all features of the tool function equally across all platforms, especially data encryption, access controls, audit trails, and real-time monitoring capabilities.
- Test whether the tool can handle all data types across platforms to an equal degree (such as documents, images, emails, and any other digital data transfer vector available at your workplace).
- Ensure all security policies are equally applicable across all platforms. For example, if USB connections are restricted, the data protection tool must be capable of applying this policy in both Windows and Mac environments.
- Ensure the tool does not degrade system performance across different environments. If you experience a slight performance disruption on a particular operating system, even if it only occurs in older machines in your network, this would indicate that the tool is not truly platform-agnostic.
If, after your analysis, you discover a need for a new data security tool, make sure you carry out a Data Protection Impact Assessment (DPIA) for the new solution to test for non-compliance risks due to poor data processing standards - an assessment that should be applied to all new solutions processing personal data.
UpGuard can help you meet GDPR requirements in 2024
UpGuard’s all-in-one Vendor Risk Management solution, UpGuard Vendor Risk, offers a GDPR-specific security questionnaire to track compliance with the personal information disclosure requirements outlined in the European Union's General Data Protection Regulation (GPDR).
With UpGuard, you can easily track third-party non-compliance risks and security threats leading to data breaches, throughout the entire vendor lifecycle.
