The European Union's General Data Protection Regulation (GDPR) is a directive that concerns the processing of personal data by private organizations operating in the European Union, whether as employers or as service providers. While many organizations have focused their GDPR readiness efforts on managing data subjects' personal information on customers, employees are also considered data subjects. This post will focus on an organization's obligations to its EU employees (inclusive of contractors and trusted business partners, regardless of a formal contract) under GDPR.

GDPR goes into effect on Friday, May 25, which means that the two-year window for organizations to come into compliance is rapidly closing. GDPR impacts organizations conducting business in the EU (e.g., sells to customers in the EU and/or employs EU citizens) and is focused on the protection of EU citizens' personal information. By extension, insider threat programs operating within the European Union or accessing data on EU citizens need to consider what the GDPR means for their operations.

Key vocabulary included in GDPR that will assist in understanding include:

• Data subject is "a living individual to whom personal data relates." A data subject could be a customer or employee.
• Personal data is "any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier." While in the US we may be most concerned and familiar with Social Security Numbers as personal data, this definition could be expanded to include dynamic IP addresses in certain circumstances as they related to citizens of the EU. If the dynamic IP address can be combined with other information held by a third-party, like an ISP, to identify an individual, then it constitutes personal information.
• Right to erasure or be forgotten applies most often to customer relationships with an organization, but data subjects have the right to request erasure of personal data if certain circumstances apply. For employee relationships, the most relevant circumstance is if an employee's personal data may have been unlawfully processed or is no longer necessary for processing, e.g., an employee has exited an organization and his / her data is not needed by the insider threat program.
• Right to rectification means that data subjects have the right to have inaccurate personal data be corrected. For organizations, this means employees can request both access and corrections to personal data collected on them.
• Personal data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed." The key difference here compared to more traditional understandings of a breach is that it includes "access," so personal data breaches could also include scenarios where the data never leaves an organization.

In this blog post, we consider what the GDPR means for some of the best practices discussed in the Common Sense Guide to Mitigating Insider Threats, 5th Edition. There is not enough space in one blog post to review each of the 20 best practices, so we will discuss practices that have the most potential to be impacted by GDPR.

Practice 3: Clearly document and consistently enforce policies and controls.

Documentation of policies and controls is fundamental to the success of any insider threat program, particularly the standard operating procedures for information sharing across the organization. With GDPR, sharing information on employees, even within the confines of an organization, may come under more scrutiny.

Practice 6: Consider threats from insiders and business partners in enterprise-wide risk assessments.

Enterprise-wide risk assessments need to consider not only technologies, but personnel and processes. Third-party businesses and other links along the supply chain add to any organization's threat landscape. In the context of GDPR, organizations will now need to consider adding confirmation of those business partners' GDPR compliance to their due diligence research and contractual agreements.

Practice 7: Be especially vigilant regarding social media.

Although social media may serve as a valuable data source for insider threat risk assessments, use of such information may come into question. GDPR grants individuals the 'right to be forgotten,' which means that social media providers can, in some circumstances, be compelled to delete an individual's data at their request. Organizations with EU employees, contractors, or trusted business partners may want to the extent to which they rely on social media as a data source and the likelihood that less social media data may be available for analysis in the future.

Practice 12: Deploy solutions for monitoring employee actions and correlating information from multiple data sources.

While security tools with correlation capabilities are still recommended, organizations will need to consider the implications for the storage of the information correlated by these tools. Given the potential for an employee to request access or corrections to the information collected on them, the data should be in a form that can be shared, edited, or even purged as needed. Consolidating information used by a security tools into a more 'user-friendly' format may help not only insider threat analysts perform their analyses, but allow privacy specialists to have more insight and input into the management of this information.

Practice 16: Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.

Security agreements for cloud services should already be part of an organization's plan for working with such providers. Likewise, organizations should consider the risks associated with countries where its data may be stored, e.g., the level of law enforcement or government access allowable to data without prior notice, cultural differences in what constitutes acceptable levels of privacy, etc. Under GDPR, cloud service agreements need to take into account the potential for any international transfers of data and what constitutes personal information in that region, and that comparable levels of security are provided.

Practice 19: Close the doors to unauthorized data exfiltration.

Under GDPR, in some circumstances organizations can face penalties of the higher between $20 million or up to 4% of global annual revenue (not profit) in the event of a personal data breach. Additionally, organizations have 72-hours to notify impacted individuals once they are aware of the breach. Preventing unauthorized data exfiltration may become more important than ever for some organizations as failure to do could cause significant financial impacts.

Practice 20: Develop a comprehensive employee termination procedure.

Organizations should identify what data on an employee is or is not subject to right to be forgotten. Once this data has been identified for both current and existing employees, organizations should consider how that might be documented as part of a termination procedure or exit process. Although current employees still have a right to erasure, this issue is perhaps more likely to emerge during the exit process. After an employee's exit, an insider threat program may not have a need to further processing an employee's personal information and should consider its deletion.

While this post is not intended to be exhaustive of all of the considerations an insider threat program must take into account in regards to GDPR compliance, we hope that it will serve as a point of future conversation among insider threat program practitioners. If your organization would like to share some of its experiences in managing GDPR considerations for insider threat programs, please contact us at insider-threat-feedback@cert.org.