Many of our customers conducting business in Europe are concerned about how the new General Data Protection Regulation ("GDPR") impacts the ability to protect their organization's data, network and IT system resources. In particular, many worry that the requirements of GDPR will restrict their abilities to decrypt, analyze or log networking traffic for security purposes. However, enterprises needn't worry, as GDPR actually does permit these types of security controls.
While GDPR sets limitations on the actions a company may take with respect to the processing of the personal data of its customers and employees, it also recognizes there are legitimate and legal reasons for such processing. The law identifies a number of justifications for the data processing. For example, it is legal if the processing serves legitimate interests of the company (the data processor or data controller) and the processing does not negatively impact the rights of the person whose data is used (the data subject). Security is recognized as a legitimate interest. Specifically, GDPR Recital 49 states:
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems . . . constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems.
Thus, protecting an enterprise from security threats is a legitimate interest covered by GDPR. Data processing, including the collection and processing of log data containing personal information (e.g. IP addresses, social identity, etc.), is therefore permissible. Common use cases include:
1) Investigating security incidents caused by malware - to determine their scale and impact
2) Removing any found malware from organizational computers
3) Informing and managing users whose behavior is unsafe and endangers the company
4) Troubleshooting false positives
However, there are clear guidelines regarding the notifications of data collection as well as limitations regarding its usage. First, while the legitimate interest justification does not require the consent of the data subject, it does require transparency regarding user data processing, and limits the use of the data to the declared legitimate purposes. Enterprises must provide reasonable notice to their employees regarding such processing (e.g. via acceptable use policies, employment notices, system banners, etc.) and must make efforts to ensure that any data collected and stored is appropriately secured. Additionally, GDPR clearly stipulates the collected data may only be used for its intended purpose.
We have heard apprehension regarding the enforcement of GDPR causes some enterprises to avoid implementation of important security controls due to uncertainty regarding GDPR requirements. As discussed above, this should not be the case. In fact, proper security measures are a GDPR requirement.
The Akamai legal team has conducted extensive reviews and preparation for GDPR and has determined that Akamai's security solutions, including Enterprise Threat Protector can be implemented as part of an enterprises' GDPR-compliant security controls. Further discussions around Akamai's services and GDPR can be found at General Data Protection Regulation (GDPR).
Principal Product Architect
Enterprise Security, Akamai
Associate General Counsel and Chief Data Protection Officer, Akamai