April 11, 2017
Imagine for a moment that you are the “rockstar” IT director of a Top 100 firm. You’ve just presented your 2017 plan to the board for major IT initiatives, which include a plan to support General Data Protection Regulation (GDPR) compliance. The presentation goes well, and you’re invited to stay and chat during the break.
Just as you’re about to walk to the coffee machine, a new board member comes up to you, thoughtfully sipping tea, saying: “Good presentation!” Before you can say thanks, she says: “You know, there are some things around GDPR which really worry me” - “What business value does GDPR offer us? With data in so many places, can we possibly get a quick win on GDPR risk mitigation? Is there a way to reduce the risk of data breaches for which we could be fined millions?”
As you listen attentively to the questions, your mind races as you think about the noise, alarm and scare-mongering of how organizations will be impacted by the GDPR. Phrases such as “fines of 20 million euro or 4% of global turnover”, and gloomy headlines like “Could new data protection rules mean the end of SMEs” have driven much of the concern and anxiety about the damage to a business’s reputation, impact on its share price or costs associated with GDPR. From her questions, it was clear that this new board member took these scare tactics to heart.
Being the “rockstar” IT Director you respond enthusiastically saying the senior executives and the board have been proactive in supporting the preparation and response to the GDPR. You talk unreservedly about how the GDPR can help the company become more efficient in the way they manage, process and protect personal data. It could also help them use data more profitably for their own ends, allowing them to become more competitive. Especially, if the business is intent on ‘transforming’ for a digital data-driven age, GDPR can form the foundation of that effort.
Time is of the essence
You agree with the board member that the business does need a quick win for implementing appropriate security and data protection measures for personal and sensitive data, as 25th May 2018 is not too far off. However, you explain that the process can be complex and challenging given the huge amounts of personal data such as email addresses, names, phone numbers, credit card details, and other sensitive information that may be stored across multiple data repositories, either onsite or in the cloud.
As the conversation progresses, more board members join the impromptu discussion around the coffee machine. You mention that you already have a plan for a “quick win” which will help in mitigating GDPR risk. You explain that almost every day we hear or read about losses of personal data, whether it’s a malicious attack or an accidental loss, or emails being compromised. You state a well-known fact that 91% of cyberattacks start with a phishing email – something which the board members find unpalatable. This is when you mention that it’s no wonder one of the GDPR measures gaining traction with IT managers is implementing appropriate advanced email security protection.
Now all eyes are focussed on you, and being the IT rockstar that you are, you stress that the business should use GDPR as an opportunity to get a firmer grip on continually evolving email threats. You describe how easily it can be done by putting into place measures which include multi-layered threat protection to defend against spear-phishing, ransomware, impersonation and other targeted email attacks.
You enlighten the board further on the new rights for individuals, which limit the personal data organizations are able to collect and store under the GDPR. You clarify how the business can use powerful cloud based archives to provide rapid search capabilities to find, remove or transfer personal or sensitive data. You also make it clear that these solutions ensure uninterrupted access to live and historic email data in the event of a sudden email outage or planned downtime.
Like any “IT rockstar”, you end on a positive note commending the board on their awareness of GDPR and growing cyber security risks. The new board member should feel confident knowing that, at the very least her concerns around a cyber resilient GDPR strategy are being addressed.
Find out how Mimecast helps to simplify GDPR compliance by visiting the Mimecast GDPR for email resources page.
February 22, 2017Crippling financial penalties and strict new privacy rules have grabbed most of the EU General Data Protection Act (GDPR) headlines so far. This is no surprise, given the sweeping nature of the act, but ahead of the May 2018 implementation date, it’s important to look at some of the more detailed compliance requirements, especially for email.
A key tenet of the GDPR – that organizations must respond in a timely manner to Subject Access Requests (SARs), inquiries from EU residents about the location and processing of their personal data, as well as to requests that it be erased – will likely force a sea-change in how organizations manage all data, personal or otherwise.
In the meantime, little’s been said about the challenges of overhauling privacy in the current era of phishing and ransomware. The two developments – growing regulatory burdens and the increasingly volatile threat landscape – put organizations in a double bind. The GDPR emerged in part as a response to the growing cybercrime threat, yet its directives to retool organizational policies, processes and structures stand to compound the burdens of well-intentioned organizations.
To manage the dual risks of GDPR compliance and cybercrime, you need to focus on email security and governance. Here are some guidelines for formulating such a strategy:
Review your email infrastructure
Over 90 percent of phishing cybercrime exploits begin with email, making it the single biggest threat vector to organizations and the data they manage. Furthermore, not only are emails a common vehicle to share and exchange personal data, email servers are prime repositories for such data as names, email addresses and associated contact information.
Managing GDPR risk starts with securing your data and infrastructure against the litany of email threats mentioned above.
Implement strong search and e-discovery
To suit GDPR mandates for reporting on and deleting personal data upon request, your email infrastructure needs to streamline search and e-discovery. A robust complement of case management tools – early case assessment, search and saved search, legal hold application, retention adjustments, and export, to name a few – will also expedite your ability to respond effectively to requests.
Educate and inform your mailbox holders
One careless click can undermine even the most capable security or governance infrastructure. This makes social engineering exploits such as phishing and impersonation attacks so devastatingly effective. A well-informed workforce is an essential component of an effective GDPR compliance strategy. Every user in your domain must be vigilant against the onslaught of email-based attacks, and play a vital role in notifying your Data Protection Officer (DPO) of any suspected privacy breaches.
Bear in mind that the guidance above addresses compliance issues related specifically to email. To manage GDPR, you’ll need to transform your privacy and governance operations wherever personal data is stored or processed: customer records, databases, CRM systems, and ERP platforms, etc. But chances are good you’ve already considered these repositories; it’s email that’s often overlooked in the compliance conversation. In reality, nearly all email servers and archives contain personal data.
No matter where your organization is based, if you manage or process personal data associated with EU residents, you will be impacted by the GDPR. Managing against GDPR penalties involves securing and tightly controlling your email servers and archives. The countdown to prepare has begun.
To help inform your journey to GDPR compliance, download the Osterman Research White Paper, GDPR Compliance and its Impact on Security and Data Protection Programs.