Looking to find out how enterprise monitoring can help your business? Read our full guide to find out the most important aspects of enterprise...
You are here
Is your IT monitoring GDPR compliant?
The daunting truth is that every company in the European Union has to be GDPR compliant now. Most organizations have put a tremendous amount of work into getting there. In shared workspaces, for the last two months, the one term you would hear over and over again is GDPR. What is it? General Data Protection Regulation mandates a whole course of new and updated privacy and data protection regulations.
While the vast majority of organizations have made every effort to become GDPR compliant, it’s still difficult to say whether or not they’ve gotten there. There’s no precedent for many of the mandates, and everyone is doing their best to hire (expensive) consultants and interpret the regulations as best as possible with regard to their respective businesses and go to market data interactions with their customers and partners. This lack of precedent means there’s no cheat sheet or golden manual to reference when there’s a question about what falls under regulation and what doesn’t.
What is certain is that any system with potentially user identifiable data should be compliant with GDPR guidelines. Organizations have taken this to heart and have focused heavily on client-based databases, user form data, e-mail opt-ins, etc. What some organizations may have failed to notice along the way are some of the critical, tertiary systems that support their primary infrastructure. Systems like infrastructure and application monitoring come to mind.
Monitoring systems often contain logs or metrics that include user identifiable information. Database logs may have user’s names, email addresses or IP addresses. All of which are considered user identifiable information. Even system metrics like network traffic or CPU utilization may be tied to IP addresses or specific user sessions from a web server that also include personally identifiable user data.
Well-run IT groups within any organization will have monitoring in place. It’s how they know what systems are online, which systems are at risk, and what their resource utilization is. Without monitoring, IT is flying blind in the datacenter - not a good thing. But considering the vast amount of service checks, logs and data metrics being stored and processed, a complete review of whether your monitoring system is GDPR compliant could be an exercise in its own right.
One way to ensure GDPR compliance of your system and application monitoring is to keep the data you monitor on-site. Some cloud-based monitoring solutions can claim to keep your data in a certain region, but you’ll need that in writing. And if they don’t comply, the onus of responsibility for that non-compliance is on you, not them. It can often be difficult to ensure that certain privileged data is never sent to a public system that isn’t certified to comply with even stricter levels of data privilege regulation, as well.
Organizations in highly regulated industries probably have less to worry about. They’ve been dealing with GDPR sort of regulation for some time now. If your organization isn’t in a highly regulated industry, it’s important that you either keep personally identifiable data in your own datacenter, or regionally co-hosted facility, or that you do a total review of every data type sent from every system to more public or distributed SaaS-based solutions.
The fines for non-compliance with GDPR can be significant - up to €10 million, or 2% of the worldwide annual revenue for a “Lower Level” fine, and up to €20 million, or 4% of the worldwide annual revenue for an “Upper Level” fine. Clearly, non-compliance is not an option.
Be sure to review every single log, data type or metric that your systems send off-site. It’s imperative. Your on-premises systems and solutions provide a much easier path to GDPR assurance.
If you aren’t sure you’re monitoring all of your infrastructure and applications today, contact us to review your current solution. If you’re concerned about having GDPR-compliant monitoring, Opsview Monitor is an on-premises, GDPR-compliant monitoring platform that consolidates DevOps infrastructure across your IT estate.
More like this
A guide on how to execute a smooth transition from Nagios to Opsview.
Learn about the importance of cloud security monitoring and how to ensure your cloud environment remains safe from any security threats.