GDPR makes it more important than ever to control email content.
The General Data Protection Regulation (GDPR) became enforceable at the end of May, and organizations that fall under its provisions – which includes any company that collects, stores, or processes the data of anyone who resides in the European Union – are realizing that its impacts reach into many aspects of their operations.
Article 32 of the GDPR addresses the security of processing personal data, but what exactly do we mean by “processing,” anyway? Article 4 makes that clear; it defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Thus basically anything that you do with the data constitutes processing in this context. That includes transmitting it to someone else, either within or outside your organization.
There are times when, in the course of doing business, employees might want to discuss customers’ personal information with a colleague or even with the customer him/herself, via email. This can present security issues if the information is not encrypted and/or pseudonymized. Users may also include personal info when it’s not necessary, or include more personal data than is necessary. Thus email can be a common source of data leaks that could put data subjects’ privacy in jeopardy, and put your org at risk for penalties that can be imposed if you violate the GDPR provisions.
Those in the healthcare and financial services sectors have long been aware that there are legal issues involved in exchanging email messages that include personal information, but the GDPR now extends the restrictions and ramifications to companies in pretty much all fields and industries. So let’s look at some ways to keep company email in compliance with the GDPR, HIPAA, GLBA and other laws that govern the security of specified types of data.
Step one: Know the law
Before you can comply with the law, you have to know and understand the law. Being able to recite the text of the GDPR isn’t enough; you must also know what it means and how it applies (and doesn’t) to your organization and your processes.
If you aren’t an attorney – or even if you are, but European privacy law and regulatory compliance aren’t your areas of specialty – the safest plan is to hire someone who can expertly interpret the GDPR and advise you on what you need to do to ensure that you comply, in respect to email as well as all other aspects of processing personal data.
It’s possible that because of the nature of your business and clientele, you don’t even have to worry about the GDPR, but don’t assume that’s true just because your company is based outside of the EU. Remember that it applies if you process (by the very broad definition quoted above) any personal data of any EU resident (who might not necessarily be a citizen of an EU country). Paying for good legal advice up front could potentially save you many times that cost if you make mistaken assumptions that come to the attention of the EU authorities later.
Step two: Know your processes
Take to heart the old adage “know thyself,” or in this case, thine organization. In addition to knowing the law (or getting someone on board who does), it’s essential that you understand your company’s own processes. Your attorney might be a leading expert on the regulation itself, but he/she doesn’t necessarily know the who, what, when, where, and how of your org’s operations. And yes, it matters.
You need to be able to answer the following questions:
- Who do you deal with? This includes anyone whose personal information you handle in any way – customers, potential customers, employees, contract workers, users of your free services, etc. Also who in your org has access to the personal data?
- What information relating to those people do you collect, store, or process? Even a person’s name or IP address can be considered personal data. Article 4 of the GDPR specifically states that personal data includes “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
- When did you collect the data? Is it up to date? Is there a reason to continue storing it? Article 5(1)(d) requires that you keep it updated and accurate, and Article 5(1)(e) states that it should be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (although archiving may be permitted for certain purposes). When was consent given? If pre-GDPR, it may be safest to obtain consent again – following the guidelines for consent given in Article 7.
- Where do those customers, potential customers, workers, and users reside? This is the crux of the matter when it comes to applicability of the GDPR. Even if they are only temporarily in the EU, that makes them data subjects under the auspices of the GDPR. See Article 3 regarding the territorial scope of the GDPR. Where are your workers physically located when they deal with personal data? Do you have remote workers who access this data from home or when on the road?
- How is the personal data collected? How is it stored (physical location, format, etc.)? How is it secured (physical security, firewalls, access controls, encryption, etc.)? How is it shared within and outside of the company? How is it determined who can access it and how is that access restricted? How was consent obtained? How is it disposed of when it’s no longer of use?
You also want to look at how those within the company tend to communicate, especially when it comes to discussing matters that include personal data. If this commonly happens via internal email (which is true of many organizations), then you will want to pay special attention to securing those email messages.
Only when you have a thorough understanding of what personal data your company has and handles and the paths that data takes through your network will you be able to properly protect its privacy.
Step three: Establish written policies and training procedures
Once you do have that thorough understanding, you can develop written policies to govern the handling of the personal data. These policies should be distributed to all personnel who have access to the data and they should be required to sign off that they have read and understand the policies.
The policies should lay out very explicitly what is and is not permitted in handling personal data, including:
- It can be obtained only in accordance with the lawful purposes laid out in Article 6 of the GDPR.
- If relying on consent as the lawful purpose, that consent must be obtained in accordance with the provisions in Article 7 of the GDPR.
- The data can be used only for the purposes for which it was originally obtained.
- The data must be secured through standard data security best practices, including encryption.
- Steps must be taken to ensure the data is accurate at all times.
- The rights of data subjects, as outlined in Articles 12-23 of the GDPR, must be respected at all times.
- The data should be retained no longer than necessary for the purposes for which it was given.
Your policies should specifically address the inclusion of personal data in email messages, both within and outside the company, whether in the text of the message or sent as an attachment. You should also have policies specifically addressing the security of data sent or accessed over the Internet, including in the case of telecommuters or traveling employees.
To be effective, policies should have penalties for violation, and those penalties should be clearly stated in the policy itself. The penalties should be severe enough to act as a deterrent but should take into account the nature of the breach, its consequences or potential consequences to the data subject and the company, and the level of culpability (ignorance, neglect, recklessness or intent) of the violator.
In addition to written policies, employees, contract workers and volunteers who will handle personal data should undergo classroom, online, and/or individualized training to ensure that they understand the requirements and know how to adhere to these rules.
Step four: Implement technological enforcement measures
No matter how many written policies you enact or how much training you provide, and regardless of penalties for violation, there will be some people who will misunderstand, forget, or deliberately disregard the rules. Technological controls are the most effective way to enforce your policies.
Users often get complacent with email, especially when it’s quick and informal exchanges with fellow workers within the company – even if those messages travel over the Internet. Two of the most important ways to protect personal data that must be transmitted this way are:
- Email encryption
- Email content monitoring
For any company that handles personal data that’s subject to the GDPR (or other government regulatory compliance requirements), a comprehensive email security solution (for example, GFI MailEssentials) is no longer a luxury; it’s a necessity. A good email security solution will give you the capability to police what goes in and out via email, based on keywords, file types, and regular expressions. This can help prevent a personal data breach that could be costly to your organization not only in the form of EU fines, but also in terms of reputational damage that can be difficult or impossible to overcome.
The GDPR brings some big changes to the way companies must handle data, and that includes data in email messages. Email may be the weak spot in your data security strategy, but it doesn’t have to be. The appropriate written policies, adequate education and training of workers, and good technological solutions can help keep your email messages in compliance.