Concern has sometimes been expressed whether the General Data Protection Regulation’s (GDPR) requirement to notify individuals of all processing of their personal data would cause difficulties for security and incident response teams. These activities involve a lot of processing of IP addresses, which the GDPR and case law seem to indicate will normally count as personal data. But a law that required us to tell attackers how much we knew about their activities would help them far more than us.
Fortunately the law, and now the Article 29 Working Party of European Data Protection Regulators, recognise this and similar problems. As the Working Party’s draft transparency guidance explains, the situation is covered by at least two exemptions:
- Paragraph 58 discusses Article 14.5(b), which says that informing the individual is not a requirement if doing so “is likely to make impossible or seriously impair the purpose of the processing”. Analysing attackers’ techniques so we can defend against them (and tell others how to do so) is an important aspect of keeping computers and data secure. Telling attackers when they need to change their approach would obviously “seriously impair” this purpose;
- Paragraph 57 also notes that informing individuals may, in any case, be impossible where the processing does not require them to be identified. Analysing network traffic is one of these situations since it is generally done “with pseudonymised data”. GDPR Article 11.1 states that such circumstances do not require the data controller to acquire additional personal data (for example an attacker’s contact details) solely to comply with GDPR requirements.
Security and incident response teams still have to ensure their processing is fair and has a legal basis. Recital 49 provides “legitimate interests” as the appropriate legal basis for securing networks, computers and data. Fairness should be ensured by the tests that processing is “necessary” for that purpose and is not overridden by the rights and freedoms of individuals. A public notice informing users of websites, networks and computers of an incident response team’s activities should meet the GDPR’s legal requirement as well as, perhaps, persuading at least some attackers to leave that organisation alone.