What is GDPR and what does it mean for your business?
The European Union’s General Data Protection Regulation (GDPR) is triggering a sea change in how organisations need to protect personal data, including data contained in email and contact databases. Regardless of your organisations physical location, you must be in GDPR compliance for EU resident personal data by May 2018.
Preparing for the new regulation
Due to the volume of changes companies may have to make to their businesses practices, and the mechanisms they may have to implement to comply with the GDPR, industry leaders in online security are advising companies to prepare for the introduction of the regulation.
By planning an “end-to-end data protection strategy” now, and evaluating the options available to implement that strategy, companies will be in a far more compliant position by the deadline next year.
Why data protection and email archiving must be part of the discussion
Organisations typically have multiple layers of security surrounding the database through firewalls, intrusion detection systems, and proper networking segmentation, hoping that attackers would not be able to reach the databases directly. However, as the traditional network perimeters are becoming blurry, and the number of people who have direct access to the databases is growing; it is becoming very important to directly secure databases. To shrink the attack surface, and reduce the number of ways in which attackers can reach the databases, it is extremely important to enforce security as close to the data as possible.
One of the challenges while assessing the nature of risks is to determine what to evaluate, because database applications typically contain several entry points from networks, operating systems, databases, and the application itself. Malicious intruders can exploit the weaknesses in any of those entry points. In addition, intruders could target employees and contractors that are responsible for using, managing, testing, and maintaining the system.
Organisations also need to consider how their systems are deployed including it being on the cloud, use of legacy applications where they may not have their source code, and dependency on third party test and development teams whether within the EU or outside.
Data Loss Protection capabilities are required to aid in the prevention of inadvertent data breaches, by blocking outgoing email, other messages and file movements that contain personal data that has not been protected by appropriate safeguards.
Email remains the main form of collaboration in organisations, with the average user receiving over 100 emails per day and sending 30. These emails and attachments could represent one of the most vulnerable points in the journey of data inside and outside a company’s network.
Secure email archiving mitigates the risk of unauthorised data exposure from both outside and inside the company by copying each email as it enters of leaves the mail server and encrypting it before storing it in a secure data centre.
If data sharing is carried out using email, then an archive could be used to help track who has received what. This information is needed to be able to comply with specific requests within the regulation.
What can you do to ensure your business complies?
To comply with the GDPR, businesses will have to review their existing systems for collecting, storing and processing personal data to ensure it is secure always. Risk assessments should be conducted, security measures implemented where necessary, and policies introduced to support new working practices and any modern technology.
Companies whose core activities are data collection, storage or processing should look to:
- Establish a strong security strategy for personal and business data
- Assess deployed security policies and privilege grants
- Prevent inappropriate access to sensitive data
- Detect suspicious behaviours
- Protect data inside-out with maximum security
- How you can leverage GDPR as a competitive advantage
Regardless of the industry sector your business operates in, it is likely to be impacted to some degree by GDPR.
We can turn the challenge into an opportunity, with solutions to make sure you have the specific security, privacy, and protection measures to ensure your organisation complies with GDPR – making your operations more agile and your organisation more competitive:
Find out more about the measures your company may have to take to become GDPR compliant by contacting us and speaking with one of our IT experts.