DLP vs. Privacy Laws | InfoWatch

You are here

DLP vs. Privacy Laws

The attendees of various information security conferences are well informed about sessions dedicated to the privacy implications from monitoring of company’s network traffic. Such monitoring is usually performed by Data Loss Prevention (DLP) systems that take the content scanning to the higher level in order to identify security risks that could be missed by regular tools or resulted from malicious or unintentional employees’ actions.

However, like all tools, you can cut yourself with it if you use it incorrectly: DLP will automatically gather large amounts of personal and sensitive personal information, and there is a risk that organization using such system may inadvertently infringe the privacy of employees or third parties during investigations. Furthermore, the DLP logs will itself be very sensitive informational asset and must be protected appropriately.

InfoWatch follows closely the advices of Data Security laws and practices’ developers. These guides reiterate the importance of intention and action for data protection compliance: say what you are going to do, then do it. Offering role-based access to different areas of DLP system, InfoWatch provides the transparency in managing DLP system logs. The data held in logs in most cases will be considered personally identifiable and therefore the subject to data protection acts, including the right of access by data subject.

The private space is in effect everywhere and can include: home life, family life and correspondence; privacy in public spaces; privacy in the workplace. The requirements outlined by current privacy protections regulations lead many companies to abandon the plans for implementing the intelligent protection of sensitive and confidential information because of fear of breaking privacy-related laws.

European data protection laws generally limit the ability of companies to monitor worker communications, such as emails. EU laws also often protect employee activities, such as web-surfing. Any DLP initiative that encompasses EU worker data (even if stored in other region) should reflect the requirements of the applicable laws as well as any works council agreements.

Data protection laws also require companies to assure an appropriate level of security for personal information they process. DLP technology can help companies meet these security requirements in appropriate ways. For example, use of InfoWatch technology that automatically encrypts sensitive personal information can help a company meet its security goals without offending worker privacy interests, since the encryption is done without creating reports that identify non-compliant users.

Thoughtful implementation of DLP system can help companies achieve security goals while balancing worker privacy interests and meeting data protection law obligations. There are few key points to follow:

  • Establish enterprise-wide network and systems usage policies
  • Ensure transparency so that employees are aware of monitoring activity (helps to combat undesirable data losses too)
  • Acquire the support of executive team and/or stakeholders

The use of DLP system does not contradict any data protection regulations, especially when it comes to insensitive personal data. All work-related communications can also be monitored based on the statement that all employees act on behalf and as a representative of their employer.

Diligent data categorization and classification along with role-based configuration of InfoWatch system and periodical review of DLP logs allows the organizations to protect its sensitive digital assets without interfering with employees’ constitutional right to privacy and freedom of speech. The system analyses and processes the content automatically without human intervention. Once data breach incident is logged and proper procedures are triggered, the necessary notification will be send to responsible parties to carry out the actions in accordance with corporate information security and systems usage policies.

Vadim Zdor
CISSP, CCNA, ITIL
Chief Information Security Consultant

For more information on this topic please request a demo of InfoWatch Traffic Monitor solution.