The arrival of GDPR is set to impact on many aspects of commercial operation, not least email. But what about old emails that are stored or archived?
We spoke to Marc French, chief trust officer at cloud email specialist Mimecast to find out more about GDPR and an aspect that organizations may have overlooked.
BN: How does email archiving factor into GDPR risk management strategy?
MF: Emails often contain personal data -- and that means organizations must manage backup and archived copies of them with rigor. In May 2018 when GDPR goes into effect, organizations must be able to access emails -- both current and historical -- quickly. When planning for these cases, deleted and archived emails (which typically aren’t very easy to find) are often overlooked.
However, today's archiving systems aren't going to pass muster. Most are outdated, slow moving and not very user-friendly. Relying on first pass review isn't going to cut it. Recent Vanson Bourne global research found 56 percent of respondents experience slow search performance, with 50 percent claiming archive searches can take up to five minutes. Of that, 20 percent say they spend more than 10 minutes conducting searches. In today's fast-paced digital world, employees just don't have that kind of time.
BN: What if my business isn't located in the EU?
MF: When speaking with customers and other IT pros, I often hear, 'But why does this affect me? I'm not based in Europe!' However, while you may not operate in Europe, or even sell over there, you're not off the hook when it comes to GDPR. If your organization collects any kind of data that could profile EU citizens – even if it’s something simple, like an email address – you’re still responsible for compliance.
BN:What penalties are associated with non-compliance?
MF: If you don't comply with GDPR regulations, don't expect a small slap on the wrist. Organizations found non-compliant can be fined upwards of €20 million or four percent of global turn-over whichever is greater. However, the most significant cost comes down to your customers; it’s all about building their trust to ensure they stay your customer.
BN: What role does the cloud play when it comes to GDPR?
MF: If you move all your data to the cloud, you won't need archiving anymore, right? Wrong.
First, to maintain compliance, it's important to note that cloud storage and cloud email archiving are not the same thing. Yes, you need somewhere to store your organization's email and data archive, but you also need email archive software to help you find it. Cloud email archiving solutions can help you make your cloud storage searchable -- and safe.
BN: What three things should organizations do to maintain GDPR archive email compliance?
MF: 1. Make everyone accountable. The IT team isn't the only one responsible for making sure the right measures are in place and steps are taken to ensure compliance. All employees throughout the entire organization, C-level included, have a responsibility to work together to define each file that is archived, determining their sensitivity and retention period to create a reliable protection plan that’ll make it easy to find important files quickly.
2. Keep track of your audit trails. Also referred to as the 'chains of custody,' audit trails can quickly help you identify who owns, moves and accesses archived data. If you're able to answer the five Ws (who, what, where, when and why), you’ll be able to easily identify the location and contents of potentially private or personally identifiable information.
3. Consider the cloud. Deploying a cloud-based archiving solution can save you not only time, but money too. With the flexibility and scale that comes with the cloud, you don’t have to worry about constantly updating hardware or increasing storage capacities.
BN:How can an organization maintain GDPR compliance and reduce impact in the face of email-borne cyber attacks?
MF: Often overlooked when talking about GDPR is the concept of phishing, in which an attacker attempts to steal private information, such as usernames, passwords or credit card details, by disguising himself as a trustworthy source via email. And unfortunately, enterprise phishing attacks are on the rise.
In the age of GDPR, employees within an organization must be prepared. After all, a comprehensive security strategy (that will also help you avoid noncompliance fines) requires employee education. The first step to maintaining compliance is training employees to easily identify suspicious links or emails, and arming them with the correct defenses, as well as a plan of action, should they open a malicious file.
In the event that a company experiences an attack, such a phishing scam, there are ways to reduce impact. For one, employees must be able to locate data quickly. For this, rapid search is a must -- and so is the ability to comb through vast amounts of data. Consider an email archiving solution that can help users uncover important files in record-time, without interrupting business as usual.