The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, European Council, and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). GDPR became effective on May 25, 2018, and reflects the aim of the European Commission to unify data protection laws across the European Union through one regulation, the GDPR. GDPR eliminates inconsistencies in national laws by raising the bar to provide better privacy protection for individuals within the EU. GDPR updates the law to better address contemporary privacy challenges, such as those posed by the internet, social media, and behavioral marketing. The regulation protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. GDPR, by regulation, protects data privacy and requires organizations to implement best practices in the way data can be used, stored and/or transferred.
Under GDPR, deepwatch is a Data Processor, acting on behalf of the Data Controller (deepwatch customer). deepwatch’s legitimate interest to process data is based on securing network and enterprise environments, Lawfulness of processing (1) Processing shall be lawful only if and to the extent that at least one of the definitions apply as defined in GDPR Article 6(1)(f):
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
In addition, under the guidelines of Recital 49 of GDPR, it provides deepwatch's managed security solutions to process data in the legitimate interest of the organization. deepwatch only uses personal data for security review and does not transmit or share data with third parties outside of the scope of network security. Under Recital 49, the Data Controller is legally obligated to protect their systems and users from security risks and thus does not require user consent.
deepwatch processes data in the legitimate interest of Data Controllers to protect their users from abuse, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data.
GDPR Recital 49 referenced above is as follows,
“The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.”
deepwatch processes system and security logs on behalf of the Data Controller to validate network and data security. Monitoring server logs may include personal data that is necessary to prevent fraud or abuse. Additionally, deepwatch requires server log information to facilitate incident response investigations for damaging or potentially illegal activity. As a result, deepwatch is categorized under GDPR as a Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT).
Examples of deepwatch processing data with legitimate interest under the scope of Recital 49 are the prevention of the following activities: malicious code distribution and preventing unauthorized access to networks. Examples of personal data that deepwatch may process with legitimate interest include:
deepwatch has completed a rigorous data impact assessment and is in certified compliance with the Payment Card Industry’s Data Security Standards (PCI DSS) version 3.2 for processing cardholder data. Additionally, deepwatch maintains Service Organization Control (SOC) 2 Type 2 reports, free of exceptions, for the Confidentiality, Availability, and Security Trust Services Criteria.
deepwatch also undertakes rigorous measures to lessen risk and exposure in terms of personal data. deepwatch manages data access and management in accordance with PCI DSS v3.2 requirements 8.1.1 through 8.1.8. GDPR Article 35 (Data Protection Impact Assessment) requires that a limited pool of people with access to the data can be used to help demonstrate the “proportionality” of the processing operations. As such, deepwatch restricts electronic access by using multi-factor authentication, restricts access to only those who require it, and restricts physical access to buildings and infrastructure using advanced access management hardware and software.
deepwatch utilizes Cloud Service Providers (CSP) with isolated Virtual Private Clouds (VPCs) for each customer. deepwatch employees connect to the production network through secure IPSEC Virtual Private Network (VPN) tunnels from both the Denver, Colorado and Saint Petersburg, Florida Security Operations Center (SOC) locations. Customer data transmitted on the network is encrypted over TLS connections, while data at rest is encrypted utilizing volume-based or object-based encryption. Key Management for encryption is handled by CSP’s Key Management Service (KMS).
deepwatch undertakes numerous steps to secure data and lessen risk in terms of data leakage and exposure. GDPR Article 32 requires Data Processors and Data Controllers to implement protocols and measures that determine an acceptable level of data security for the organization processing the data. deepwatch undertakes the following added steps to reduce risk in terms of data exposure for GDPR and assure an enhanced level of security.
Customer log data is maintained for the duration explicitly stated on the deepwatch Order Form executed by both deepwatch and the customer. Standard deepwatch log data retention is one year, with approximately three (3) months online in hot/warm storage, with the remainder stored in cold storage within CSP object storage. All data at rest is encrypted utilizing one of the strongest block ciphers available – 256-bit Advanced Encryption Standard (AES-256), leveraging CSP’s KMS. CSP KMS provides increased security for encryption keys, by preventing access to humans, never storing them in plaintext, and only utilizing them in memory. Each customer volume (hot/warm) or object (cold) is encrypted with a unique key, which is deleted upon the destruction of the volume or object store. Since the encryption key is destroyed, even if the data could be accessed it could not be decrypted.
deepwatch utilizes ServiceNow’s Incident Module for ticketing functionality. As a result, the aforementioned personal data may be included within tickets hosted by ServiceNow. ServiceNow provided the following statement regarding their GDPR compliance,
“At ServiceNow, we believe that the GDPR is an important step towards strengthening data protection laws across the European Union and enabling individual privacy rights. This is why ServiceNow is committed to being GDPR‑compliant across our cloud services when enforcement begins on May 25, 2018.
We have recently updated our data processing addendum (DPA) in compliance with the requirements set forth in the GDPR. Our DPA also gives our customers contractual assurances that personal data can be lawfully transferred from the European Economic Area to the ServiceNow services. For more information about our DPA, please review the FAQ here.”
Further information regarding ServiceNow’s GDPR compliance is available here.
deepwatch maintains a PECB Certified Data Protection Officer (DPO).