In may 2018 GDPR will become enforceable.
It will be enforceable from May 25th 2018.
One of the requirements will be the ability of "Right to erasure"
Has Dynatrace any plans for their products to take this into account?
Solved! Go to Solution.
Hi @Alexander S., do you have any more information? May is when the GDPR laws become enforceable, many customers are already running task forces to evaluate their readiness, and dynatrace products fall into the scope. With no idea of time frames it is making situations awkward waiting for this official response and being unable to give any idea around dates.
In addition, it would be useful to know:
We are preparing a blog post about this topic. Below is a draft which is not yet approved.
Companies are using Dynatrace products to monitor performance and quality of their services, e.g. web and mobile applications. By default, personal data of end users is not intended to be tracked but depending on the configuration and the type of application it is possible; Dynatrace products therefore need to be operated in a GDPR compliant way.
GDPR differentiates between data controller and data processor. A company that uses application performance monitoring is a so-called data controller. It must ensure that personally identifiable information (PII) is collected and used in accordance with the law. The data processor, however, must take care that the data is stored in a protected way. In the case of Dynatrace SaaS the data processor is Dynatrace who is hosting the service. In the on-premise case, the data processor most usually is the company itself working with on-premise installations of Dynatrace software. However, the software still needs to support the data processor in fulfilling the GDPR requirements.
Although it should be reduced to a bare minimum, the recording of personal information of individuals is acceptable – it must be proportionate, according to GDPR. A data controller needs to ensure that as few data as necessary are recorded and that they are processed safely. Furthermore, the data controller must adhere to obligations towards natural persons, such as the right to information or the right to forget.
PII in Dynatrace products is, if captured, usually gathered through implementing Real User Monitoring (RUM), a.k.a. User Experience Monitoring (UEM). Besides capturing performance metrics from inside a user’s browser another important use case for having RUM is user complaint resolution, i.e. the ability to identify a user’s session which is including the whole click path. RUM is a provider’s legitimate interest to monitor performance, to provide high quality of their service, and to be able to quickly solve issues in error situations.
But let us have a closer look on what the products are doing exactly:
Real User Monitoring and Log Analytics can capture PII in unplanned situations, too. For example, personal information can be included in a stack trace, in a crash dump or inside an error log. In those situations, the collection of personal data is not planned but an exception, and the purpose solely is to provide high quality services. It is therefore a legitimate interest to collect the data for quality purposes and only use it for exceptional situations (after crashes, or for user complain resolution). Finally, it is also possible that a weird implementation of a web application results in unwanted data collection – a responsibility of a data processor to take care that this does not happen.
GDPR also defines rights for natural persons and Dynatrace products need to support a few use cases therefore:
Data protection is another requirement. GDPR specifically rules that state-of-the-art protection mechanisms need to be implemented. Dynatrace SaaS encrypts all customer data by default and therefore fulfills this requirement as data processor. For the on-premise products Dynatrace Managed and AppMon, it is in the responsibility of its operators to use appropriate protection, e.g. transparent hard disk encryption.