GDPR Has Arrived
What does it all really mean in the context of cloud-based security products based in the U.S.?
The fundamental concept of GDPR is to give EU citizens the legal right to control their personal data. A more comprehensive set of GDPR articles can be found here. This is a brief overview that’s intended for a buyer in the securty market.
Personal data, or Personally Identifiable Information (“PII”), is defined in NIST SP-800-122 as “any information that can be used to distinguish, trace, or be linked to an individual”. In other words, ask the question “Can I tell who this is?” and if the answer is “yes” then it’s PII.
GDPR gives certain legal rights to EU citizens regarding personal data.
1. Right to Rectification – Identify and change incorrect personal data.
2. Right to Erasure – Delete all personal data.
3. Right to Restriction of Processing – Stop processing personal data if it’s incorrect, not needed, unlawful, or objected to (#5).
4. Right to Data Portability – Export relevant personal data using a machine-readable format (JSON).
5. Right to Object – Stop processing all personal data upon request.
DarkBytes and GDPR
DarkBytes was designed with privacy in mind. As a cyber-security company, we must balance our use-case with the privacy of users. We believe that effective security controls can be built without violating privacy rights. This mindset enables DarkBytes customers to rest easy and get back to focusing on business.
DarkBytes collects minimal personal data. Specifically, the personal information collected by our platform is limited to username, hostname, IP addresses, and file paths by default.
This information is never sold to third parties. This personal data is only used for identifying the endpoint of the end-user of our user interface or APIs.
This personal data can be anonymized upon request by hashing it with SHA2 before it is stored.
Technology & Processes
DarkBytes implemented both technology and processes to comply with GDPR. We leverage 3 different approaches to provide customers with full control and transparency into personal data.
- Data Location – Our architecture enables EU customers to communicate, process, and store all data inside the EU.
- Data Control – Our support team has processes and procedures in-place to allow EU citizens to execute their data rights. Simply send an email to firstname.lastname@example.org.
- Anonymize Data – Our customers can choose to anonymize any or all personal data by hashing it before it’s stored.
We believe it’s important for all security vendors to build acceptable solutions to GDPR rather than running away from it. The cyber-security is innovative and quickly evolving and it’s important that the innovation is available to everyone in EU.