Welcome back to our ongoing series on the 2018 General Data Protection Regulation, where we dive into the upcoming EU regulation and how it will impact the way we use remote access tools. Today our focus is on data minimization, at the heart of which is the general rule: process data only as needed.
This of course has many implications on the way remote technicians deliver support to their users, and there are two main principles to consider:
- Purpose limitation, which limits processing of personal data to satisfy tasks, workflows, and security mandates.
- Storage limitation, which limits how long this personal data is kept on file.
It's best practice to adhere to purpose and storage limitation whenever possible. In terms of remote access, these principles pertain to the graphical user interfaces, settings and configuration files, logs and audit records, and integrated features like file transfer and native chat.
Remember, overriding legitimate interests are another principle of GDPR. You may need to balance GDPR against other regulations and decide to disregard certain areas of data minimization. For instance, keeping detailed audit logs may be essential to the security of your business, and therefore you may choose to store more data than you typically would under the purpose limitation principle. Work with your security team to determine if you have any overriding legitimate interests, what they are, and how they supersede the requirements of GDPR.
Graphical User Interfaces
Any remote access tool that provides screen transfer and KVM (keyboard, video, and mouse) control runs the possibility of showing a remote technician everything on the user's screen during a support session. In many circumstances, this could be much more information than necessary.
Following the principle of purpose limitation, a remote technician would only have access to the applications or area of screen necessary to complete the task at hand. For example, if the goal of a remote support session is assisting in configuring a printer, the technician should only have access to the applications needed to do so, or the area of the screen displaying the printer driver window.
When choosing a remote solution for your business, make sure it has capabilities to restrict or limit non-purpose driven access. There should be a mechanism in place to either alert the user to conceal all unrelated data on their monitor, offer application specific remote access, or configure area of screen access.
Settings & Configuration Files
For organizations in the EU or those who process data of EU citizens, all personal data processed within a remote access tool falls under the scope of GDPR. Because storing data is a kind of processing, data minimization applies to any data stored within settings and configuration files.
For example, businesses will often maintain a listing of users and their devices to initiate remote sessions at the click of a button. Consider how much data is stored (i.e. processed) in these directories: user names, IP addresses, and unique device settings.
Our recommendation is to find mechanisms to centrally store these settings and configurations whenever possible, and then restrict access as needed. Ideally, you'll have configuration files stored on one central server, opposed to duplicating data across your endpoints and thereby conflicting with purpose limitation. The less data stored locally across endpoints, the better.
Also, be considerate of storage limitation - businesses shouldn't store personal data any longer than necessary. Therefore, storing a configuration file for quick access to a device that you hardly ever need to support is not a recommended practice. Talk with your security and business processes teams to determine how long you absolutely need to store this information. The same is true for logs and audit records.
Logs & Audit Records
It's common practice to log the who, what, when, and why of support activities for billing purposes, security, efficiency, etc. But once again, these records contain personal data and must be treated with caution. Be aware of what information your business is logging and make sure these records are truly necessary. Just because you can keep exhaustive audit trails, doesn't mean you should.
Work with your data compliance team to determine what information is necessary to log, how doing so is beneficial to your business, and what information is irrelevant or inappropriate to keep on file.
If you are logging irrelevant data on the assumption that it will be needed in the future, discontinue this practice and discard the information. Be aware of your logging activity and only record what is useful, what is relevant to the task at hand, and what is necessary to comply with other regulations.
Many remote control solutions offer integrated features like file transfer, remote management, and native chat. These tool sets can provide huge value, however, you may be duplicating them across other areas of your business.
For example, let's say you have chat built into your remote solution, yet use a separate instant messaging tool for internal support as well as live chat on your website. Each of these tools may store personal data of users within that system. Ask yourself, do each of these mechanisms need to retain user names, IP addresses, and specific profile information on employees and customers across your enterprise? Or, could you consolidate into one tool?
In other words, limit data processing and duplication whenever possible by centralizing the means by which you collect it.
Coming up, we'll be addressing the dispiritingly-named "right-to-be-forgotten," and as always subscribe in the sidebar to receive a notification when the next post in this series is published.
The General Data Protection Regulation goes into effect on May 25th, 2018. As you prepare your business for GDPR compliance, be sure to review our previous posts on pseudonymization and encryption, requiring consent, and the scope of GDPR. You can also watch the full recording of our recent webinar, "Implications of GDPR on Remote Access & Control."
For a comprehensive guide on aligning your remote access solution with the GDPR, check out our white paper “Making Remote Support GDPR Compliant: A Complete Guide.”