This document discusses the legal obligations around DLP monitoring and how to address the challenges. It covers: 1) Laws like the Data Protection Act, EU Data Protection Regulation, and Regulation of Investigatory Powers Act that govern DLP monitoring. 2) Key challenges include carrying out monitoring legally under RIPA while allowing some personal use, and addressing this through data governance, stakeholder engagement, education, and culture. 3) Effective strategies include knowing your data and risks, having clear and achievable policies, providing tools and guidance for users, engaging stakeholders, frequent education and awareness campaigns, and embedding a culture of security mindfulness.

1. DLP Monitoring Legal Obligations,
Managing the Challenges
Maura McAulay

2. Contents
Part One – DLP Monitoring, the Legal Obligations
Part Two – Dealing with the Challenges

3. DLP Monitoring – Legal Obligations
DLP Monitoring of users communications such as (but not limited to) email and web
uploads is governed by a number of legal and regulatory factors:
• Data Protection Act
• EU Data Protection Regulation
• Regulation of Investigatory Powers Act (RIPA)
• Lawful Business Practice (LBP) Regulations
• ICO Employment Practices Code – Monitoring at Work

4. Data Protection Act
The UK Data Protection Act was set up in 1998 to regulate the use of 'personal data'
and consists of 8 Data Protection Principles.
These Principles specify that personal data must be:
1. Processed fairly and lawfully
2. Obtained for specified and lawful purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for any longer than necessary
6. Processed in accordance with the 'data subject's' (the individual's) rights
7. Securely kept
1. That "appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to personal data"
8. Not transferred to any other country without adequate protection in situ.

5. EU Data Protection Regulation
The EU have stated completion of the reform of data protection rules in the EU is a
policy priority for 2015. Shortly afterward organisations will be legally required to be
compliant.
In terms of DLP there are four key elements
• It is a Regulation, and not a previously a Directive
• Tougher sanctions for security breaches of up to €100m or 5% of organisations global
revenue, whichever is highest
• New requirement to report data loss/security incidents within 72 hours of the event
being known
• Tokenised, encrypted or pseudo-anonomised data meets requirement of individuals'
reasonable expectations of privacy
• But be wary. Encrypting all data isn't the answer and comes with its own set of
challenges.

6. Regulation of Investigatory Powers Act (RIPA)
Under RIPA it is against the law for a business to intercept an electronic communication
on its, or anyone else's system.
There are some exceptions, however, most of the exceptions contained in RIPA itself are
unlikely to apply to the monitoring of communications by employers, for example where
an interception is authorised under a warrant. The RIPA exceptions that may be relevant
are:
• Where the interception takes place with the consent from all parties of the
communication
• Where the interception is connected with the operation of the communications
service itself.
In addition to the exceptions in RIPA itself, the Lawful Business Practice Regulations
set out further exceptions where, in connection with the carrying on of a business, an
interception will not contravene RIPA.
An interception of communications that does not come within the exceptions in the LBP
Regulations or in RIPA itself is against the law.

7. Lawful Business Practice (LBP) Regulations
The LBP Regulations set out the circumstances in which a business is authorised to
carry out an interception for the purpose of running its business. They are designed to
meet the legitimate needs of businesses to manage their information systems, making
use of the capabilities of modern communications technology, but in a way that is
consistent with high standards of privacy.
There are 4 essential pre-requisites of the LBP Regulations:
1. The regulations apply to business communications only
2. Interception that is targeted at personal communications that do not relate to
the business is not allowed regardless of whether the use of the system for such
communications is authorised
3. Interceptions must be authorised by the relevant business owner
4. Interceptions are authorised only if all reasonable efforts to inform all potential
users that interceptions may be made, why and for what purpose the
information will be used.

8. Lawful Business Practice (LBP) Regulations
The Regulations
Interception without consent is allowed if it is part of monitoing (or recording) business
communications for one of the following purposes:
• To establish the existence of facts (e.g. to prove that a customer has been given
certain advice)
• To check that the business is complying with regulatory or self-regulatory
procedures
• To check the standards that workers are achieving (e.g. to check the quality of
email responses sent to customer enquiries)
• To show standards workers ought to achieve (e.g. for staff training)
• To prevent or detect crime
• To investigate or detect unauthorised use of the telecommunications system
(e.g. sending confidential information by email without using encryption if this
is not allowed)
• To ensure the security of the system and its effective operation (e.g. to check for
viruses or other threats to the system or to enable automated processes such as
caching or load distribution.

9. ICO Employment Practices Code – Monitoring at Work
The following are a few of the key obligations employers must meet in relation to
monitoring employee activities
• Workers must be clearly informed that monitoring takes place, the purpose of the
monitoring and the potential outcomes on workers of the monitoring
• Monitoring must meet the workers' legal right to privacy
• Take steps to ensure that any intrusion is no more than absolutely necessary
• Monitoring must be carried out in a way that is lawful and fair to workers
• Any adverse impact on workers must is justified by the benefits to the employer
and others
• Ensure information about workers collected through monitoring is kept securely and
handled in accordance with the DPA
• Ensure that all cases requiring further investigation and/or disciplinary action are
treated in a fair and consistent manner.

10. Dealing wth the Challenges
Not having DLP Controls in place is not an option if organisations are to meet DPA and
EU Data Protection Regulations obligations to protect any personal data collected
and/or processed, and meet stakeholder expectatations that they also protect other
important business data.
The challenge is how to carry out these activities within the parameters of RIPA and
LBP Regulations, especially in today's world where most organisations allow some
personal use of the systems.
Know your data and how it is used, and remember DLP is not simply
about monitoring
Think:
• Data Governance
• Stakeholder Engagement
• Education and Awareness
• Culture

11. Data Governance
Know your data:
• Know what it is
• Know how it is used
• Know how important it is to you
• Know how important it is to others
Know your risk and what remediation is required to carry out effective monitoring of
your business data.
Have the right policies in place:
• Information Security/Records Management/Privacy
• Acceptable Use
• Change Management
Make sure policies are precise and easily understood by all users (not just us!) and back
them up with fit for purpose standards and procedures.

12. Data Governance
Provide the tools needed to meet policy:
• Policy needs to be achievable. There's little point requiring users to treat
information in ways they can't because:
a. Tools aren't available
b. Tools are difficult to use
c. Inadequate guidance provided on how and when to use the tools
• Remember tools aren't always technical. Don't forget the importance of business
tools such as data risk evaluation matrices, data inventory templates, etc.
Don't set users up to fail and remember you need this information to build business
focussed monitoring policies.

13. Stakeholder Engagement
Don't operate in isolation. Know your stakeholders and engage with them.
Business
• Put simply how can you know the data you need to protect if you don't engage with
the business who own and use the data
Privacy/Legal
• How can you be assured that the monitoring you carry out and the resulting
activities are legally compliant
HR
The following are a few ways that engageing with HR is beneficial:
• Reference point to confirm that investigatory processes are consistent and fair to
colleagues and help cascade any required business activities downstream
• Help ensure communications are colleague focussed
• Support any disciplinary activities
• Where required assist with any engagement with unions or other colleague support
parties

14. Education & Awareness
Remember information security is our day job – not theirs. We have a responsibility
to make sure the business understand and get it right.
Effective Education
• Make sure policies and guidance are easily understood and easy to find
• Don't rely on annual refresher training. Provide additional guidance, helpful hints &
tips, worked examples, etc.
• Tell the story – explain why data security is important, e.g. the impacts of sending
work to home email, even thought the intention is good
• Provide solutions, e.g. remote secure access
Communications
• Tell users clearly monitoring is carried out
• Make communications (including education and guidance) visible, present and
frequent
• Don't rely on policy, intranet and newsletters – use posters, screensavers and
backgrounds, and pop-up awareness stalls
• Keep it relevant and cascade messages via execs within the business areas

15. Education & Awareness
Consequences
• Be clear about the consequences of not following policy and abiding by Acceptable
Use
• Provide clear guidance to be followed should a user realise they have breached
policy and data has been lost. Stress hiding will make it worse
• Users need to understand the importance and potential severity but don't
scaremonger

16. Culture
Aim
The aim of Information Security within an organisaton should be to embed an ethos of
data security mindfulness among its users where users feel confident they are carrying
out their day to day activities securely and can identify and highlight weakness in
business processes.
• Security becomes just part of how you do business, no longer a painful extra and a
blocker
• Enabling organisations to embrace new technologies securely and meet colleague
and customer demands to keep pace
"Aligned information security and business objectives—The model must enable and
support business objectives. The information security program should align with the
organization from the boardroom to end users, and information security controls
should be practical and provide real, measurable risk reduction." - ISACA

17. Culture
Fear Factor
The facts:
• Most people want to do the right thing
• Some will make mistakes
• Only a small number act maliciously
If you want to avoid a culture of fear, action following an identified data loss event
must be appropriate to the nature and severity of the incident
Number of people disciplined – a mark of success or indicator of failings?
Ask:
• Are your policies fit for purpose?
• Are you educating users effectively?
• Do your users have the right tools?
• Are the wrong types of people getting through vetting procedures?

18. Culture
Senior Executives
Enabling or sabotaging?
Too often in organisations the experience is that
executives make the right noises about data security but see themselves as being
exempt.
Why is this? Is it because:
• They believe the rules don't apply to them?
• They don't fully understand?
• No-one is prepared to put their head above the parapet and challenge?
• Is their support staff smoothing the way because applying security is a pain and its
their job to take that pain away?
• Have we made security just too damned hard and delivered it without any thought
to the business?

19. Questions?