In less than 12 months the new EU-wide General Data Protection Regulation (GDPR) comes into force. Organizations around the globe will need to introduce privacy policies and security controls to protect the personal information of EU citizens. New GDPR accountability obligations, stronger rights, and data storage restrictions mean that organizations must change the way they manage and hold personal data.
Much of the attention (and FUD) has been on the eye-watering fines for GDPR non-compliance, distracting from less obvious risks to personal and sensitive data stored in corporate email systems, archives and back-up tapes, which if compromised can be just as costly.
GDPR Subject Access Requests (SAR) represents a real, pressing and practical issue for virtually all organizations who hold GDPR-governed data. Responding to SAR requests requires the ability to quickly find, then separate all personal data related to the “data subject” across multiple information stores without undue delay and within one month. Not only is it almost impossible for most organizations to find and remove personal data from storage platforms, it can also be very expensive (particularly for back-up tapes).
Merely replacing physical storage media and back-up tapes with cloud storage is not the answer. Organizations need to have an email archive strategy to support critical GDPR requirements, including fine-grained control and powerful search capabilities to rapidly find, isolate and retrieve personal data, and the option to remove it, in line with an access request.
To maintain GDPR accountability for reporting and deleting personal data upon request, email infrastructure needs to unify search performance and e-discovery capabilities. Robust case management tools to simplify early case assessment, legal hold application, retention adjustments, and export, to name a few, will also expedite the processing of such requests.
Remember, the guidance above addresses compliance issues related specifically to email. To manage GDPR compliance requires a business-wide transformation of privacy and governance operations wherever personal data is stored or processed, including but not limited to customer records, databases, CRM systems, and ERP platforms, etc.
Avoiding GDPR penalties will involve secure and tightly controlled email servers and archives. The countdown to compliance has begun.