On May 25, this Friday, the General Data Protection Regulation (GDPR) will take effect. Right now, most organizations are focused primarily on protecting customer data to avoid the potentially catastrophic non-compliance fines. But security teams must also consider how these new rules affect the data they collect from their employees.
The big challenge is that GDPR creates obligations for security organizations to protect personal data of EU citizens but also puts limits on employee monitoring, an important tool for cyber security organizations. These protections for the employee’s privacy in the workplace can negatively impact a security organizations ability to monitor, control, and protect their data processing environment.
How can you comply with GDPR while finding the right (and often elusive) balance between company security and employee privacy? Read on to find out.
Key GDPR Guidelines on Employee Monitoring to Know
The clearest GDPR guidance on how organizations can monitor employee communication comes from the Article 29 Working Party and is supported by the following documents:
- “Working Document on the surveillance of electronic communications in the workplace (WP 55)”
- “Opinion 8/2001 on the processing of personal data in the employment context (WP 48)”
- “Opinion 2/2017 on data processing at work (WP 249),” which complements the previous two documents. Here are some highlights.
Here’s a breakdown of three key principles you should know.
1. Don’t monitor all of your employees' activities… think risk-based monitoring.
While keeping track of how your employees use the Internet may be tempting, focus on risk-based monitoring to ensure you have a clear legitimate interest basis for the monitoring. GDPR guidelines strongly advise against it, stating that a blanket ban on personal use of the Internet by employees is “unrealistic” and “impractical” (WP 55). Only in “exceptional circumstances” (WP 55) should security teams monitor a worker’s mail or web use.
2. Focus on restricting access.
Instead of keeping tabs on how your employees use the Internet, “rely on technical means to restrict access” (WP 55) to websites that could introduce security risk to your organization. Or leverage other controls.
3. Prioritize transparency.
Tell your employees about all the systems that may be storing their data, tracking their browsing behavior and/or restricting access. And tell them “the purposes for this monitoring...as well as possibilities for employees to prevent their data from being captured.” (WP 249)
The Challenge: Finding the Right Balance
As the line between the personal and work lives of our employees becomes increasingly ambiguous, finding a balance between employee privacy needs and organizational security requirements can feel elusive.
Cyber threats are rising and personal web browsing via corporate networks introduces risk. But GDPR states that workers cannot abandon their right to privacy every morning before they enter their workplaces.
What’s a security team to do?
The Solution: Isolated Web Browsing
Web isolation, which separates workers’ personal web traffic from your corporate web traffic, is an excellent solution for security teams. It empowers employees to browse freely and privately in a protected session separated from the corporate network.
Users don’t notice a difference but any unsafe code they encounter stays out of their endpoints and your organization’s environment. Web isolation can significantly reduce malware, data loss, and compliance risks and ensures that your employees browsing sessions are secure and encrypted no matter where they are connecting from.
Interested in implementing a web isolation solution at your company? Click here to learn about how Proofpoint’s TAP Isolation can help you balance employee privacy and organization security.