The General Data Protection Regulation (GDPR) is a new law in the European Union (EU), set to come into force in May 2018. It will protect the rights of EU citizens in respect of their personal data. Any organization operating in the EU is required to comply with the new legislation.
|Talk to a Messageware specialist about our Exchange OWA security solutions|
The European Commission defines personal data as: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.
According to section 2 of the GDPR, organizations operating in the EU must: “protect personal data against accidental or unlawful destruction or accidental loss to prevent any unlawful forms of processing, in particular, any unauthorised disclosure, dissemination or access, or alteration of personal data.”
Essentially, GDPR deals with the data your organization collects, how you tell people what you are going to do with it, what you actually do with it, how you store it securely, whom you allow to access it, and what happens if you fail to comply with the Regulation.
If your organization is based outside of the EU, one of the most significant aspects of the GDPR is that it brings global applicability. Whereas the previous data protection directive applied to organizations based in one or more EU Member States, the new Regulation applies to any organization – regardless of location – that controls or processes data on individuals in the EU.
The bottom line, if your organization that controls or processes data on living people in the EU, it must comply with the data protection provisions of the GDPR, even if you don’t have a physical presence in the EU.
Failure to comply with these obligations can attract penalties that reach €20 million or 4% of your global annual turnover – whichever the greater – for serious offences, and €10 million or 2% of your global annual turnover for less serious ones.
Applying the penalties to the large American credit rating agency that was hacked last year, would have attracted a fine between US$62.9 million and US$125.8 million, based on operating revenue of US$3.145 billion for the fiscal year 2016.
What the GDPR means for Email Security?
Just about every communication and collaboration technology will be affected by the GDPR: email, cloud storage, managed file transfer, archiving, printing, scanning solutions, etc. However, email is especially prone to violations of the GDPR, because it remains a primary business communication tool; widely used for sharing and storing personal data, and it is still the primary threat vector for cyber attacks and data breaches.
In the context of the GDPR, the term “data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
When an employee’s laptop or mobile device is lost or stolen and contains unencrypted personal data in the form of emails and attachments, your organization may be charged with a data breach under the GDPR regulations. Similarly, the confiscation of devices by foreign authorities at border crossings, destruction of equipment using insecure disposal services, and malicious denial of service (DoS) attacks aimed at accessing your organization’s data all constitute data breaches.
In the event of a data breach, controllers must notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and data processors must inform the data controller “without undue delay”, having become aware of a breach.
The GDPR defines:
- “Controller” as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- “Processor” as any entity that processes personal data under the controller’s instructions, e.g., many service providers are processors.
Securing emails that contain sensitive personal data such as credit card data, social insurance numbers, health reference numbers and other types of personal data that might inadvertently land in the wrong hands should always be your company’s top priority. However, new legislation like the GDPR and DFARS, and their associated penalties are putting a price on data security that makes security even more crucial.
Messageware’s attachment security solutions (AttachView) prevent exposure from the data leakage that could occur when viewing attachments in Microsoft Exchange OWA/Outlook on the Web. AttachView ensures that no attached files are inadvertently left on a computer or a mobile device.
AttachView offers a preventative approach to securing Microsoft Exchange OWA/Outlook on the Web by:
- Preventing data exposure that could occur when email attachments are transferred to devices outside the control of the organization.
- Ensuring that email and attachments are never stored on laptops or mobile devices and therefore present no data risk if a device is lost, stolen or confiscated.
- Giving exchange administrators the ability to customize security settings on a granular level based on users, groups, IP addresses, and corporate devices.
- Controlling a user’s ability to Open/View/Print an attachment.
- Enforcing security policies and reminding users of the need for care in handling attachments with save confirmation.
With the GDPR approaching, there are critical legislated changes coming for IT managers at every company located in the EU or doing business in the EU. As these changes come into effect, the way personal data is stored and protected will have to change, and every organization dealing with EU citizens’ data will need an advanced email security solution to maximize their confidence in compliance with GDPR … averting fines and loss of reputation that comes from data breaches.