NAM and General Data Protection Regulations

The General Data Protection Regulation (GDPR) goes into effect in the European Union (EU) on May 25, 2018. GDPR improves data protection for EU citizens by letting Dynatrace users control their personal data within social networks and in the cloud.

GDPR rights for EU citizens

GDPR defines the following rights for EU citizens:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to object
  • Right to erasure ("the right to be forgotten")
  • Right to data portability
  • Right to restrict processing
  • Rights regarding automated decision-making and/or profiling

Companies use Dynatrace products to monitor the performance and quality of services such as web and mobile applications. Dynatrace doesn't, by default, track personal data, but such tracking is possible depending on individual environment configurations and the applications that they are monitoring. For these reasons, Dynatrace is and must be GDPR compliant.

Data controllers and data processors

GDPR differentiates between data controllers and data processors.

  • A data controller determines the purposes and means of the processing of personal data. Such companies, including those that use application performance monitoring, must ensure that personal data is collected and used in accordance with regulations.
  • A data processor processes personal data on behalf of a data controller. Dynatrace, for example, processes personal data for its customers in the course of providing application performance monitoring. Data processors must ensure that stored personal data is protected.

NAM and personal data

The recording of personal data is acceptable under GDPR as long as the data collection is proportionate. A data controller must:

  • Record minimal personal data and process it safely.
  • Adhere to obligations that ensure rights, such as the right to be informed and the right to be forgotten.
    When Dynatrace products capture personal data, it's typically through the use of Real User Monitoring (RUM), also known as User Experience Monitoring (UEM), and through the network data analysis that is an underpinning technology. For more information, see Dynatrace compliance with General Data Protection Regulations for EU citizens

Dynatrace NAM captures performance metrics from the network by sniffing wire data traffic. NAM offers the ability to identify and track each client IP address and optionally look into the user session, including URLs accessed and user name submitted. This information is needed to monitor performance, provide high-quality service monitoring, and quickly resolve issues when problems are detected.

What NAM does with personal data

  • NAM mainly captures a client IP address as required for network performance management. NAM can be configured to capture URLs, user names, and other personal data to provide better detail about user sessions that experience performance problems.
  • NAM tracks user activity over the network, but it doesn't record or track personal data such as birth dates, social security numbers, credit card numbers, pictures, and social preferences (unless explicitly configured to do so). This is because Dynatrace products are focused on clicks, response times, and service communication, not specific input values.
  • Collected data ages out and is automatically deleted over time, typically within a few weeks, so the EU citizen's right to erasure is handled by default.

NAM settings that comply with GDPR

Customers are required to be transparent with their users and inform them of the ways in which they collect and use their users' information (typically by way of a Privacy Notice). Where customers engage any third parties to collect information about their users on their behalf (such as Dynatrace), whether for the purposes of application and behavioral analytics or otherwise, this should be made transparent in its Privacy Notice.

We, therefore, recommend that customers review and update their Privacy Notices before using our products and services. If customers wish to explain more about what Dynatrace is and what information we collect, customers may refer users to our Privacy Policy. Note that we are currently reviewing and updating our Privacy Policy for the purposes of our own compliance with GDPR.

Dynatrace additionally recommends the following NAM settings (assuming these settings aren't superseded by other legal requirements faced by your organization):

NAM has features that allow you to record and track client IP addresses and user names. Depending on your NAM report server setup, NAM can:

  • Track and record each client IP address separately
  • Track IP addresses from selected ranges
  • Track users with defined user names

While these features are desired for most deployments, you may have to reconfigure their settings in order to comply with GDPR.

For more information, see CAS Configuration.

When the AMD analyzes the HTTP request/response body information, it has insight into sensitive data, but this data is not recorded unless you intentionally configure the AMD to do so. If the recording is necessary (for example, it is needed for HTTP request body content analysis), recorded data can be irreversibly masked.

This global option affects data generation for all HTTP-based services and takes precedence over them. Clearing this option here will cause no such data generated for any HTTP services, even if data generation is enabled for an individual user-defined service.

If the AMD is configured to write header data to disk, header data is stored in /var/spool/adlex/rtm/headerdata_* files. Header data includes:

  • Request header
  • Request parameters (from URL)
  • POST data
  • POST data (raw)
  • Request cookie in the HTTP request section
  • Response header
  • Response cookie in HTTP response section

For more information, see Sequenced Transactions and Header Data, Configuring URL monitoring and Regular expression fundamentals.

For each of the monitored services (software services in the NAM configuration), you may choose to either not capture user names at all or to pseudonimyze user names captured and to grant access to reveal user name only to selected administrators.

NAM 2018

For more information, see HTTP monitoring.

Smart packet capture is a NAM feature designed for deep troubleshooting support. When enabled, it can capture network packet traces with their full content.

Although network and application performance troubleshooting with smart packet capture does not require personal data of the monitored user, network packets captured contain all data exchanged over the network. Personal data may be recorded there.

Smart packet capture works on demand. Packets are captured upon explicit request of a privileged NAM user and within a limited scope (client, server, and time).

To control user group access to smart packet capture:

  1. On the NAM Console navigation menu, select Security > User groups.
  2. Verify which groups have the Packet capture user role enabled and disable it where it's not needed.
    For each group:
    1. Click the Actions button and select Edit.
    2. Under Roles, clear Packet capture user for groups where it's not needed. (If some people in the group need it, you may need to assign the role to them individually or create a smaller group only for people who definitely need that role.)
    3. Save your changes.

For more information, see Smart packet capture

Unintended data collection

Through improper implementation or configuration, it's possible that a web application may perform unintended data collection. It's the responsibility of each organization to ensure that personal data is captured responsibly.

How Dynatrace provides GDPR compliance

Dynatrace products provide support for GDPR compliance in the following ways:

  • Right to be informed: Users may want to understand what data about them is collected. All Dynatrace products have query functions that support this, and session results can be exported to formats such as CSV and JSON for analysis. In NAM, the simplest way of finding what data is collected about a specific user is to use the Search function to look for a user name or IP address.

  • Right to erasure (also known as the right to be forgotten): Users may want their data to be deleted. If NAM is configured to store detailed user data (user name, client IP address), it stores this data for a relatively low retention period (10 days by default). If the user is inactive after this period (either not seen in monitored data or the NAM configuration has been changed to not recognize user names anymore), then user data is automatically removed from the NAM database. GDPR gives data processors 30 days to process each customer request, so you may want to keep the NAM raw data retention period within this limit.

  • Right to restrict processing: This requirement is supported by NAM only at the global level of user name recognition and client IP aggregation. Although theoretically individual users could be excluded from monitoring by NAM, this would be impractical from the configuration maintenance standpoint.

  • Right to data portability: Users may want to change platforms and take their data with them. This isn't relevant in Application Performance Monitoring (APM) because NAM data concerning user activity is the property of the data controller. Users have no need to export their click paths and import them into other web applications.

  • Right to rectification or objection: Users may want to change address information or fix incorrect information. This isn't relevant in APM because NAM data on user activity is read-only transaction recordings. If, for example, a user's name is spelled incorrectly, the error doesn't need to be corrected because the data won't be used for any other purpose in the future.

  • Data protection: GDPR specifically rules that state-of-the-art mechanisms be implemented to protect personal data. Since NAM relies on industry solutions to store measurement data that may contain pieces of user-identifiable information (such as MSSQL database and Red Hat operating system values), the operators may use appropriate protection such as transparent hard-disk encryption or database encryption.