The General Data Protection Regulation (GDPR) goes into effect in the European Union (EU) on May 25, 2018. GDPR improves data protection for EU citizens by letting Dynatrace users control their personal data within social networks and in the cloud.
GDPR rights for EU citizens
GDPR defines the following rights for EU citizens:
- Right to be informed
- Right of access
- Right to rectification
- Right to object
- Right to erasure ("the right to be forgotten")
- Right to data portability
- Right to restrict processing
- Rights regarding automated decision-making and/or profiling
Companies use Dynatrace products to monitor the performance and quality of services such as web and mobile applications. Dynatrace doesn't, by default, track personal data, but such tracking is possible depending on individual environment configurations and the applications that they are monitoring. For these reasons, Dynatrace is and must be GDPR compliant.
Data controllers and data processors
GDPR differentiates between data controllers and data processors.
- A data controller determines the purposes and means of the processing of personal data. Such companies, including those that use application performance monitoring, must ensure that personal data is collected and used in accordance with regulations.
- A data processor processes personal data on behalf of a data controller. Dynatrace, for example, processes personal data for its customers in the course of providing application performance monitoring. Data processors must ensure that stored personal data is protected.
NAM and personal data
The recording of personal data is acceptable under GDPR as long as the data collection is proportionate. A data controller must:
- Record minimal personal data and process it safely.
- Adhere to obligations that ensure rights, such as the right to be informed and the right to be forgotten.
When Dynatrace products capture personal data, it's typically through the use of Real User Monitoring (RUM), also known as User Experience Monitoring (UEM), and through the network data analysis that is an underpinning technology. For more information, see Dynatrace compliance with General Data Protection Regulations for EU citizens
Dynatrace NAM captures performance metrics from the network by sniffing wire data traffic. NAM offers the ability to identify and track each client IP address and optionally look into the user session, including URLs accessed and user name submitted. This information is needed to monitor performance, provide high-quality service monitoring, and quickly resolve issues when problems are detected.
What NAM does with personal data
- NAM mainly captures a client IP address as required for network performance management. NAM can be configured to capture URLs, user names, and other personal data to provide better detail about user sessions that experience performance problems.
- NAM tracks user activity over the network, but it doesn't record or track personal data such as birth dates, social security numbers, credit card numbers, pictures, and social preferences (unless explicitly configured to do so). This is because Dynatrace products are focused on clicks, response times, and service communication, not specific input values.
- Collected data ages out and is automatically deleted over time, typically within a few weeks, so the EU citizen's right to erasure is handled by default.
NAM settings that comply with GDPR
Customers are required to be transparent with their users and inform them of the ways in which they collect and use their users' information (typically by way of a Privacy Notice). Where customers engage any third parties to collect information about their users on their behalf (such as Dynatrace), whether for the purposes of application and behavioral analytics or otherwise, this should be made transparent in its Privacy Notice.
Dynatrace additionally recommends the following NAM settings (assuming these settings aren't superseded by other legal requirements faced by your organization):
Settings related to client IP address and user name storage
NAM has features that allow you to record and track client IP addresses and user names. Depending on your NAM report server setup, NAM can:
- Track and record each client IP address separately
- Track IP addresses from selected ranges
- Track users with defined user names
While these features are desired for most deployments, you may have to reconfigure their settings in order to comply with GDPR.
- Go to the CAS menu > CAS configuration menu option.
- Modify options in the User options section.
To switch off recording client IP addresses or user names, select the client IP address aggregation option that best fits your privacy requirements:
- Aggregate all users but count distinct user identifiers (PVU mode)
- Aggregate all users (PV mode)
Client IP address aggregation to locations retains per-location accuracy of the network performance measurements, while individual client IPs or user names are not tracked anymore.
To track client IP addresses and user names (if your privacy policies applicable to internal corporate applications allow it), select:
- Track users with identifiers, aggregate other users (ISP mode)
In this mode, the user names and client IP addresses are stored by the NAM. As a result, you may need to select which monitored software services should track user names, which monitored software services should NOT track the user names, and which user names should be pseudonymized.
For more information, see CAS Configuration.
Settings related to user information in HTTP headers and URLs
When the AMD analyzes the HTTP request/response body information, it has insight into sensitive data, but this data is not recorded unless you intentionally configure the AMD to do so. If the recording is necessary (for example, it is needed for HTTP request body content analysis), recorded data can be irreversibly masked.
- Go to CAS menu > Monitoring > RUM Console.
- Select a network probe you need to change the configuration for and click Open configuration from its context menu.
- Go to Global > Front-End Monitoring > Web > HTTP > Sequenced Transactions and Header Data and create a parameter mask.
This global option affects data generation for all HTTP-based services and takes precedence over them. Clearing this option here will cause no such data generated for any HTTP services, even if data generation is enabled for an individual user-defined service.
If the AMD is configured to write header data to disk, header data is stored in
/var/spool/adlex/rtm/headerdata_* files. Header data includes:
- Request header
- Request parameters (from URL)
- POST data
- POST data (raw)
- Request cookie in the HTTP request section
- Response header
- Response cookie in HTTP response section
Go to CAS menu > Monitoring > RUM Console.
Select a network probe you need to configure and click Open configuration from its context menu.
Go to Software Services > User-Defined Software Services and edit the rule for the software service containing the URL with sensitive information.
Click the URL Monitoring tab and edit an existing URL or add monitored URL.
Select URL type URL as regular expression
In the URL definition, enter a regular expression with the sensitive information excluded.
Note that the URL regular expression contains escape characters for parameter separators and parentheses around the URL portions to be reported.
Save and publish the configuration changes.
Settings related to user name capturing and pseudonymization
For each of the monitored services (software services in the NAM configuration), you may choose to either not capture user names at all or to pseudonimyze user names captured and to grant access to reveal user name only to selected administrators.
- Go to CAS menu > Monitoring > RUM Console.
- Go to RUM Console menu > User name encryption.
- Enable user name encryption on all network probes.
For each of your monitored applications, disable user name recognition.
- Go to CAS menu > Monitoring > Devices.
- Select a network probe you need to configure and click Open configuration from its context menu.
- Go to Global > Front-End Monitoring > Web and disable user name recognition rules.
You may also need to repeat similar steps for SAP GUI, Oracle Forms, Citrix ICA, and other decodes you use.
- Alternatively, you can change monitored software services settings individually:
- Go to CAS menu > Monitoring > Software services.
- Choose the software service to modify and work to its monitoring rules.
Examine the lower left table of the configuration screen.
- For each rule, go to the User name recognition tab and edit the rules.
For more information, see HTTP monitoring.
Settings related to smart packet capture
Smart packet capture is a NAM feature designed for deep troubleshooting support. When enabled, it can capture network packet traces with their full content.
Although network and application performance troubleshooting with smart packet capture does not require personal data of the monitored user, network packets captured contain all data exchanged over the network. Personal data may be recorded there.
Smart packet capture works on demand. Packets are captured upon explicit request of a privileged NAM user and within a limited scope (client, server, and time).
- Go to CAS menu > Monitoring > RUM Console.
- Go to Console menu > User groups.
- Verify which groups have the Packet capture user role enabled and, disable it where it's not needed.
For each group:
- Click the Actions button and select Group details from the menu.
- Examine the Roles section of the Group details screen.
For more information, see Smart packet capture
Unintended data collection
Through improper implementation or configuration, it's possible that a web application may perform unintended data collection. It's the responsibility of each organization to ensure that personal data is captured responsibly.
How Dynatrace provides GDPR compliance
Dynatrace products provide support for GDPR compliance in the following ways:
Right to be informed: Users may want to understand what data about them is collected. All Dynatrace products have query functions that support this, and session results can be exported to formats such as CSV and JSON for analysis. In NAM, the simplest way of finding what data is collected about a specific user is to use the Search function to look for a user name or IP address.
Right to erasure (also known as the right to be forgotten): Users may want their data to be deleted. If NAM is configured to store detailed user data (user name, client IP address), it stores this data for a relatively low retention period (10 days by default). If the user is inactive after this period (either not seen in monitored data or the NAM configuration has been changed to not recognize user names anymore), then user data is automatically removed from the NAM database. GDPR gives data processors 30 days to process each customer request, so you may want to keep the NAM raw data retention period within this limit.
Right to restrict processing: This requirement is supported by NAM only at the global level of user name recognition and client IP aggregation. Although theoretically individual users could be excluded from monitoring by NAM, this would be impractical from the configuration maintenance standpoint.
Right to data portability: Users may want to change platforms and take their data with them. This isn't relevant in Application Performance Monitoring (APM) because NAM data concerning user activity is the property of the data controller. Users have no need to export their click paths and import them into other web applications.
Right to rectification or objection: Users may want to change address information or fix incorrect information. This isn't relevant in APM because NAM data on user activity is read-only transaction recordings. If, for example, a user's name is spelled incorrectly, the error doesn't need to be corrected because the data won't be used for any other purpose in the future.
Data protection: GDPR specifically rules that state-of-the-art mechanisms be implemented to protect personal data. Since NAM relies on industry solutions to store measurement data that may contain pieces of user-identifiable information (such as MSSQL database and Red Hat operating system values), the operators may use appropriate protection such as transparent hard-disk encryption or database encryption.