GDPR Data and Irregular Behavior Detection

Protecting against malicious outsider attacks is the most significant focus for cybersecurity teams, but it’s critical not to overlook or underestimate the threat from those who already have the access. Ex-employees are responsible for 13% of cybersecurity incidents, and human error is often blamed for many data breaches. 

In 2020, organizations spent a mighty £2.9m recovering from security incidents. This vast sum (that should rather have been showing under ‘profits’ on the balance sheet) only reinforces the truth about cybersecurity: it’s not if a breach happens, but when. 

Now we can see why that recovery figure is so high. Employees, contractors, and third parties having direct access to sensitive data means that there is often no trace of their actions, malicious or not, making it harder to learn from or detect. The financial and opportunity costs to remediate an internal breach are significant, from reappointing or finding new resources to fix it to the genuine effects to the bottom line and productivity. Interestingly, as learned from the 2018 Morrisons case, if an employee data breach occurs by an individual, it’s the organization that’ll be vicariously liable – not the disgruntled ex-employee seeking revenge. 

In order to protect your business and gain a better understanding of what constitutes normal and abnormal behavior, an Irregular Behaviour Detection (IBD) service is essential and proactive.

Baselining: Defining normal behavior

Forming a baseline serves as a reference point for regular IT activities and behaviors, making it easier for anomalies that could be security threats to be identified. Baselining should include everything within an IT environment, think users, traffic, devices, and application access patterns. 

When determining your baseline, context is vital for a faster and more accurate analysis of irregular behavior. Using the terms of likelihood is a good place to start – if it happens regularly, it’s less likely to be a threat – but remember, there can be caveats to this too.

Irregular behaviour

With a complex and contextual baseline, irregular behavior is easier to spot. Some examples of irregular user behavior are: 

  • Downloading harmful files 
  • Visiting HTTP instead of HTTPS sites, or unauthorized websites
  • Plugging unauthorized USB storage devices into corporate devices 
  • Connecting to unsecured or open wifi networks 
  • Accessing networks or applications outside business hours or days 

These all sound like obvious red flags, but having the right tools to spot these behaviors as irregular and then taking action quickly, is the only way to stay protected against these easily missed behaviors.

GDPR and security monitoring

So, you might be wondering how GDPR compliant all this data monitoring is, and the good news is that GDPR requires it. Security monitoring is an essential part of protecting data from breaches and attacks when it comes to the compliance standard, meaning this data processing doesn’t need explicit permission from the user. This said, GDPR still requires that monitoring data is only used for the purpose it was collected and, of course, shouldn’t violate privacy regulations. 

One solution to help with this is anonymized data, which will still provide visibility into irregular behavior and flag any breaches. IBD solutions with privacy-friendly insider risk using pre-build data minimization techniques ticks this box.  

If the actions themselves are anomalous, the data can be escalated to a Data Privacy Officer to be unmasked and investigated. If it’s found that the data has been breached or compromised, GDPR requires notification to the Data Protection Authority within 72 hours. 

How irregular behavior detection helps with GDPR compliance

As mentioned, security monitoring is required by GDPR; therefore, IBD, in fact, works towards being compliant. ENHALO’s Continuous Irregular Behaviour Detection (CIBD) service ensures that GDPR compliance is maintained while fulfilling its sole purpose of detecting and acting on irregular user behavior. 

Robust IBD solutions will have continuous monitoring to provide complete visibility into user behavior and highlight any blind spots. It should also automatically provide prompts for irregular behavior and take real-time actions such as endpoint isolation, lockdown, or user prompts, bringing the entire security process full circle. ENHALO’s CIBD goes even further by training employees on the organization’s Information Security and Acceptable Use policies, ticking off another block towards GDPR compliance and user protection. 

Other elements in the IBD solution that are incredibly useful and make for more thorough cybersecurity protection include: 

  • Monitoring individual user profiles, which are certified by the National Insider Threat Task Force (NITTF).
  • Machine learning that monitors user behavior to the extent of keyboard typing patterns, unusual network usage, and excessive printing.
  • Powerful out-of-the-box policies that detect sensitive content sent or received via email, copied between applications, or even transferred over video conferencing or USB. 

And of course, when it comes to IBD remaining human-centric on security, data leakage and insider threat protection is a must. After all, this is why it is all in place – we are not dealing with bots in this instance. 

Staying GDPR compliant

While IBD works towards GDPR compliance, the IBD solution must maintain data protection during security monitoring. In other words, it needs to go both ways. 

Thoroughly documenting your monitoring policies and the processing activity is one way to stay compliant and should include:

  • The purpose of the processing 
  • The categories of the data subjects and personal data being processed
  • The categories of those who have access to this data 

Using role-based access control (RBAC) should already be second nature in your organization, so implementing it here should be an instinctual force of habit. Using the least privileged approach ensures that those with the highest levels of access are carefully monitored too. 

As we all know, GDPR requires that any security incidents relating to personal data be reported to the Privacy Officer and documented. This remains the same for your IBD process and its findings.

ENHALO’s IBD will keep your organization safe from internal risk while seamlessly ensuring that GDPR compliance is met. 

Supply Chain Threat Detection

Cyber criminals have upped their game, so should you. We never underestimate or ignore your supply chain's security threats.

Security Operations Center

Financial losses, intellectual property theft, and reputational damage due to security breaches can be prevented.

SOC Assurance Service

Despite a mature Security Operations Center, you're still under threat. Our SOC Assurance mitigates the risk of unnoticed breaches.

Emergency Cyber Response

Regain immediate control, contain the damage, and eradicate the threat. Your bullet-proof, SOS rapid response.

Agentless Network Segmentation

Rely less on vulnerability management and rest assured that the threat won’t spread across your network.

Cyber Risk Assessment

Understand how vulnerable you are. We identify your threat sources and calculate your risks – likelihood and impact.

Endpoint Detection and Response

This solution is for customers that do not have extensive security budgets or staffing to implement and monitor an endpoint security solution.

Irregular Behavior Detection

Companies focus heavily on malicious outsider mitigation, while the biggest threat lies with those who already have access.

Penetration Testing Services

A penetration test is arguably the most important part of any cybersecurity journey, it tests an organization’s ‘final line of defense’ against attackers.

Security Awareness Training & Testing

With cybersecurity awareness training, the risk of human error can be reduced, turning human error into a human firewall.


360 Security
Must Know Cyber
Security Services



Cyber Security Services

Supply Chain Thread Detection
Security Operations Center
SOC Assurance Service
Emergency Cyber Response
Agentless Network Segmentation
Cyber Risk Assessment

Supporting Cyber Security Services

Endpoint Detection and Response
Irregular Behavior Detection
Penetration Testing
Security Awareness Training and Testing

Related Posts

Cyberattack Emergency

Are you experiencing an active cyberattack?

Get rapid response.

Call ENHALO’s International SOS no:
For Other Inquiries: