GDPR Fun Fact #12: The right of access does apply to security log data

The right of access as codified in Article 15 of the GDPR is an extremely potent tool in the hands of the data subject. As it should be, even at the risk of sometimes being used in bad faith, e.g. in the context of labour disputes. Regardless of the data subject's motivations though, a fundamental right is a fundamental right. And cybersecurity teams in particular had better be very familiar with its reach:

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data (...)

One might think that this right only applies to information you would find in a consumer’s purchase history, in a patient’s medical records, in a job candidate’s application dossier, or in an employee’s HR files. However, the right of access does not end there. Just consider what the European Data Protection Board has to say in the introduction of their guidance on the matter:

The right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject′s request.

In paragraph 97 of its opinion, the EDPB gets very specific, and lists, among others, the following as being in scope of access requests:

Observed data or raw data provided by the data subject by virtue of the use of the service or the device (e.g. data processed by connected objects, transaction history, activity logs such as access logs, history of website usage, search activities, location data, clicking activity, unique aspects of a person’s behaviour such as handwriting, keystrokes, particular way of walking or speaking)

With that in mind, just think about the types and amounts of “observed data or raw data” that the security stack will collect or generate, transmit and store about the actions and behaviours of each user of a corporate IT infrastructure. Just to name a few examples:

• User account history
• Authentication activities and patterns
• VPN connections
• Device and server logins and logoffs
• Application usage data
• Email, IM and web security events
• Firewall and web proxy logs
• Browsing history
• Voice, text, voice and data communication logs
• DLP, IDS and IPS alerts
• CCTV footage
• Physical entry and exit logs
• Wired and wireless connections within the premises
• User device location data such as GPS

Now scale this up to cut across the range of devices and other connected things used by the user, from their company-managed laptops, cellphones and tablets to their badges, smart cards, credit cards and company vehicles, on to their BYOD devices where applicable. Then add to those any shared resources and physical and virtual corporate infrastructure devices (desktops, routers, switches, servers, virtual machines, printers, VoIP phones, video conferencing equipment, etc.) which will also generate activity and usage logs that can be traced back to the user.

Strictly speaking, as the EDPB notes, where such data is directly or even indirectly individually identifiable (and it generally will be, even where the data is pseudonymised), the GDPR does not permit excluding it from the scope of an access request just because it is large volume, hard to collect or unintelligible to the user. When faced with a very broad or unspecified access request, data controllers can invoke Recital 63 (in fine) of the GDPR to ask the requester to specify the data they are requesting:

(...) Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

But if the requester then asks to access log data concerning them, then there is no ground to refuse. So what should cybersecurity professionals do? In short: be prepared. Specifically:

• Inventory the tools in your stack, as you should for your records of processing anyway;
• Minimise the data you collect by carefully thinking through what data you really need and configuring your tools to only collect that;
• Limit log retention schedules to a reasonable period and automate deletion of old data;
• Know where your data is, both physically and logically;
• Be aware of the iterations that may exist (e.g. each tool may keep its own logs on device, on log servers, and in redundant instances and backup copies, while also feeding data to your SIEM);
• Have procedures in place to query and retrieve user-specific data when needed from all relevant sources.

If it sounds like a lot, that’s because it is a lot. But I can only repeat the EDPB’s earlier observation:

The right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject′s request.