Imagine for a moment that you are the “rockstar” IT director of a Top 100 firm. You’ve just presented your 2017 plan to the board for major IT initiatives, which include a plan to support General Data Protection Regulation (GDPR) compliance. The presentation goes well, and you’re invited to stay and chat during the break.
Just as you’re about to walk to the coffee machine, a new board member comes up to you, thoughtfully sipping tea, saying: “Good presentation!” Before you can say thanks, she says: “You know, there are some things around GDPR which really worry me” - “What business value does GDPR offer us? With data in so many places, can we possibly get a quick win on GDPR risk mitigation? Is there a way to reduce the risk of data breaches for which we could be fined millions?”
As you listen attentively to the questions, your mind races as you think about the noise, alarm and scare-mongering of how organizations will be impacted by the GDPR. Phrases such as “fines of 20 million euro or 4% of global turnover”, and gloomy headlines like “Could new data protection rules mean the end of SMEs” have driven much of the concern and anxiety about the damage to a business’s reputation, impact on its share price or costs associated with GDPR. From her questions, it was clear that this new board member took these scare tactics to heart.
Being the “rockstar” IT Director you respond enthusiastically saying the senior executives and the board have been proactive in supporting the preparation and response to the GDPR. You talk unreservedly about how the GDPR can help the company become more efficient in the way they manage, process and protect personal data. It could also help them use data more profitably for their own ends, allowing them to become more competitive. Especially, if the business is intent on ‘transforming’ for a digital data-driven age, GDPR can form the foundation of that effort.
Time is of the essence
You agree with the board member that the business does need a quick win for implementing appropriate security and data protection measures for personal and sensitive data, as 25th May 2018 is not too far off. However, you explain that the process can be complex and challenging given the huge amounts of personal data such as email addresses, names, phone numbers, credit card details, and other sensitive information that may be stored across multiple data repositories, either onsite or in the cloud.
As the conversation progresses, more board members join the impromptu discussion around the coffee machine. You mention that you already have a plan for a “quick win” which will help in mitigating GDPR risk. You explain that almost every day we hear or read about losses of personal data, whether it’s a malicious attack or an accidental loss, or emails being compromised. You state a well-known fact that 91% of cyberattacks start with a phishing email – something which the board members find unpalatable. This is when you mention that it’s no wonder one of the GDPR measures gaining traction with IT managers is implementing appropriate advanced email security protection.
Now all eyes are focussed on you, and being the IT rockstar that you are, you stress that the business should use GDPR as an opportunity to get a firmer grip on continually evolving email threats. You describe how easily it can be done by putting into place measures which include multi-layered threat protection to defend against spear-phishing, ransomware, impersonation and other targeted email attacks.
You enlighten the board further on the new rights for individuals, which limit the personal data organizations are able to collect and store under the GDPR. You clarify how the business can use powerful cloud based archives to provide rapid search capabilities to find, remove or transfer personal or sensitive data. You also make it clear that these solutions ensure uninterrupted access to live and historic email data in the event of a sudden email outage or planned downtime.
Like any “IT rockstar”, you end on a positive note commending the board on their awareness of GDPR and growing cyber security risks. The new board member should feel confident knowing that, at the very least her concerns around a cyber resilient GDPR strategy are being addressed.
Find out how Mimecast helps to simplify GDPR compliance by visiting the Mimecast GDPR for email resources page.