Imagine you've just sent an important e-mail to the wrong person. Best case scenario, you'll be embarrassed or inconvenienced. Then imagine that stray e-mail contained sensitive personal data about a customer. Now you're dealing with a potentially damaging fallout from a data breach.
Last year the Information Commissioner's Office (ICO) reported a 46% quarterly increase in the number of reported data breach incidents caused by e-mailing the wrong person for April to June 2017, but it's only one of the scenarios that could lead to a breach. From May this year the General Data Protection Regulation (GDPR) changes organisations obligations when processing, sharing and retaining data. Data is often most vulnerable at the point it is shared, and e-mail remains indispensable as the world's most popular business communication tool.
Every organisation using e-mail to share personal data with external parties should consider what measures are needed to ensure compliance with the GDPR. At the same time as addressing breach risks, such as e-mails sent to the wrong recipient, businesses need tools to retain control of data (even after sharing), and rapidly understand where data is held and how data has been accessed at any time.
As with existing data protection law, GDPR will require organisations to apply appropriate organisational and technical measures to protect data (Article 32). This means you'll need to demonstrate that your organisation has put in place the necessary technology and training to protect shared information.
E-mail encryption is the method recommended by the ICO, but you'll further reduce risk if you can introduce policies to automatically apply encryption to personal data, and override human error, so that regardless of a breach the underlying data remains protected.
Under GDPR, Subjects can request their data be deleted (Article 17), enforce restrictions around how you process their data (Article 18), and you'll be obliged to ensure partners in your supply chain comply with these requests if you've shared applicable data (Articles 19).
In this context, simply encrypting an e-mail will not guarantee compliance. You need e-mail security tools that can restrict access and processing capabilities, such as downloading and copying, and give you control over data even after you hit send, including the ability to revoke access in the future.
Under the new laws, businesses must notify their national regulator of a data breach, including details of the cause, scale and anticipated impact, within 72 hours if an individual's rights and freedoms have been compromised (Article 33). Similarly, individuals can investigate how their data is being handled and processed, making a subject access request (Article 15). Not only will they be able to find out which of their personal information is held by the organisation, they can find out whether any personal data is being processed, including whether it is shared with any other organisations.
You'll need the technology to respond to requests and reporting obligations promptly and preferably with minimal administrative overheads. This can be very complex where personal data has been shared with external parties and exists in e-mails in unstructured form. Legacy encryption solutions were not designed with this kind of auditing in mind. Before investing in new systems or procedures to protect data, ensure they provide the capability to track and audit how data is handled and accessed, including encrypted data.
Implementing a secure e-mail solution shows your customers and partners that you take data security seriously. This helps to build confidence and improve satisfaction, both internally and externally.
GDPR presents an opportunity to ensure your organisation handles personal data responsibly and securely, and forward-thinking organisations will recognise that measures taken to protect personal data can also be applied to corporate data such as intellectual property, financial reports, contracts and business strategy documents. Now more than ever, it's important you invest in compliance, but see this as an opportunity to bring in processes and technology that differentiate your organisation's service.
Wouldn't it be great if every e-mail reached the right recipient? Egress have developed technology to help organisations do just that using an Outlook add-in to check and confirm your e-mail recipients. Our government-certified e-mail encryption and secure collaboration solutions provide constant control and visibility of data. Our reporting and analytics system lets you easily search across e-mails and attachments to generate exportable compliance reports in minimal time.
Egress is uniquely placed to help your organisation protect the data you share and ensure you can carry out all compliance functions later. Talk to your Softcat account manager today about preparing for GDPR, or get in touch using the button below.
We would love to hear any comments you have about this article!