Email and GDPR compliance

GDPR – four letters greatly misunderstood, but already beginning to deliver sleepless nights for many.

Coming into effect on 25 May 2018, the General Data Protection Regulation contains demanding obligations, with potentially crippling financial penalties for any organisation that breaks the regulations.

These new regulations will deliver increased protection for the rights of individuals through the way their personal data is processed. Anyone who suspects an organisation holds data about them will have the right to know what data about them is being held, with access to it in certain circumstances, which must be corrected if proved wrong.

Some business sectors are particularly worried by the new right to restrict certain aspects of data processing and an individual’s right to object their personal data being used in direct marketing campaigns.

The focus is largely on processing and storage of personal data, but it’s important not to ignore email security and governance when assessing the compliance requirements. In preparing for the new regulations, it’s email that’s often overlooked when in reality, nearly all email servers and archives will contain a multitude of personal data.

Yes, every archived email

The problem is the definition of personal data, which includes personal email addresses, phone numbers and other data commonly managed for marketing purposes.

The new regulations will therefore require organisations to manage backup and archived copies of emails and the personal data typically contained within them. And this is where some pain will be felt, by those sensible organisations that maintain backups of their data – the new regulations could mean all data relating to an individual must be located and erased.

Reducing the time for which emails are archived could help mitigate the potential burden, but it will be important to find the right details to delete without affecting the remaining emails.

Risk of a data breach

The problems could really start following a data breach, when every individual contained within the email archives might have to be notified that their personal data has been compromised – not just the send/receive emails, but potentially all those individuals included in email chains!

And any such breach could attract a huge number of requests for personal data to be deleted which need a huge amount of administrative work to resolve, if the process is not automated. It can be and even small organisations might decide now is the time to address the issue, with plenty of time to get organised before the new regulations are implemented.

At Quiss, we continue to stress the importance of training our clients’ employees how to recognise and react to a phishing attack, but strong search and e-discovery abilities will help reduce the risk of a crippling workload in the event of a breach.

We do not claim to have all the answers to the combined challenges of GDPR compliance and cyber-crime, but we have a lot of practical solutions that can be tailored to the needs of every organisation, whatever amount of personal data you process or store.

Like what you read?