We are preparing a blog post about this topic. Below is a draft which is not yet approved.

Regards, Thomas

----

Companies are using Dynatrace products to monitor performance and quality of their services, e.g. web and mobile applications. By default, personal data of end users is not intended to be tracked but depending on the configuration and the type of application it is possible; Dynatrace products therefore need to be operated in a GDPR compliant way.

GDPR differentiates between data controller and data processor. A company that uses application performance monitoring is a so-called data controller. It must ensure that personally identifiable information (PII) is collected and used in accordance with the law. The data processor, however, must take care that the data is stored in a protected way. In the case of Dynatrace SaaS the data processor is Dynatrace who is hosting the service. In the on-premise case, the data processor most usually is the company itself working with on-premise installations of Dynatrace software. However, the software still needs to support the data processor in fulfilling the GDPR requirements.

Although it should be reduced to a bare minimum, the recording of personal information of individuals is acceptable – it must be proportionate, according to GDPR. A data controller needs to ensure that as few data as necessary are recorded and that they are processed safely. Furthermore, the data controller must adhere to obligations towards natural persons, such as the right to information or the right to forget.

PII in Dynatrace products is, if captured, usually gathered through implementing Real User Monitoring (RUM), a.k.a. User Experience Monitoring (UEM). Besides capturing performance metrics from inside a user’s browser another important use case for having RUM is user complaint resolution, i.e. the ability to identify a user’s session which is including the whole click path. RUM is a provider’s legitimate interest to monitor performance, to provide high quality of their service, and to be able to quickly solve issues in error situations.

But let us have a closer look on what the products are doing exactly:

• Real User Monitoring mainly captures URLs and IP addresses which is required for performance management. If configured it can capture user names, user ID’s or other personal data, too, to provide better details about user sessions with performance problems.
• It is also able to track click paths, but hardly birth dates, social security numbers, credit card numbers, pictures, social preferences and so on. The reason is that Dynatrace products are not storing form contents, but the clicks and response times to them.
• Data is aging and will be deleted over time, typically this happens within a few weeks. Therefore the user’s “right to erasure” is available by default.

It is very important to understand that GDPR requires to notify end users about storing their data. This can be achieved by extending the cookie policy which are used world-wide today. If the end user accepts, RUM can be actively called to monitor a user’s session. Additionally, Dynatrace recommends the following RUM settings – if not superseded by other Legal requirements like compliance:

• Turn on user IP address masking. German courts decided that IP addresses of users can be tracked down to identify a user, and therefore IP addresses are considered PII. IP address masking will make geographic accuracy less, but it still can be used for statistical analysis.
• Turn on the "respect do not track" option. This will allow users to opt-out if they do not wish to be tracked.
• Handle user tagging responsibly. Each actively defined user tag potentially collects PII information and only the bare minimum of PII should be gathered. The option for “user action name masking” helps you to anonymize HTML elements which may potentially contain PII information.

Real User Monitoring and Log Analytics can capture PII in unplanned situations, too. For example, personal information can be included in a stack trace, in a crash dump or inside an error log. In those situations, the collection of personal data is not planned but an exception, and the purpose solely is to provide high quality services. It is therefore a legitimate interest to collect the data for quality purposes and only use it for exceptional situations (after crashes, or for user complain resolution). Finally, it is also possible that a weird implementation of a web application results in unwanted data collection – a responsibility of a data processor to take care that this does not happen.

GDPR also defines rights for natural persons and Dynatrace products need to support a few use cases therefore:

• Right to be informed: End users may want to understand which information is collected about them. Dynatrace products have query functions and the session results can be exported, e.g. in a JSON format.
• Right for erasure (a.k.a. right to forget): End users may want that their data gets deleted. This feature is currently not available but Dynatrace will provide it in due time. However, the session data has a relatively low retention time and GDPR gives data processors 30 days to process a customer’s request.
  
  
  
  • For Dynatrace SaaS the retention time is 35 days only.
  • In AppMon the retention time can be defined to be a maximum of 30 days.
• Right to restrict processing: This is supported with the “do not track” option in the browser and with the requirement to accept the RUM tracking before it is injected into the user’s session.
• Right to data portability: End users may want to use change the platform and take their data with them. This is not available in an APM context, because RUM sessions are property of the data processor. An end user has no need to export his click path and import it in another web application.
• Right to rectification or objection: End users may want to fix typos, change address information and or fix wrong input. This is not available in an APM context, because RUM sessions are read-only transaction recordings. If, for instance, a user’s name is wrong it does not need to be corrected because it is not used for any other purpose.

Data protection is another requirement. GDPR specifically rules that state-of-the-art protection mechanisms need to be implemented. Dynatrace SaaS encrypts all customer data by default and therefore fulfills this requirement as data processor. For the on-premise products Dynatrace Managed and AppMon, it is in the responsibility of its operators to use appropriate protection, e.g. transparent hard disk encryption.