The SC Media UK Roundtable, held at The Gherkin in London and sponsored by Mimecast
We're a year away from the European Union's new General Data Protection Regulation finishing its honeymoon period, and while preparation gathers pace by some to become compliant by May 2018, SC Media UK gathered a group of cyber-security and data professionals to discuss where emails fit into the framework, and what risks they might pose to breaching GDPR compliance.
It's a truism that email is the de facto means of communication and information transfer in business, regardless of whether it's always the most appropriate or safest way to move information around.
The roundtable was hosted by SC Media UK and sponsored by Mimecast, a provider of comprehensive email risk management services. The session was moderated by SC's deputy editor, Tom Reeve.
The guest speaker for the event was Mark Watts, a partner at the law firm Bristows who has over 20 years' experience in IT legal issues and was formerly global privacy counsel at IBM. Watts gave a strong opening, busting myths of GDPR compliance and reassuring everyone that “the sky is not falling”.
Nick Ioannou, head of IT for the Ratcliffe Groves Partnership, agreed: “Don't panic! Don't be tempted to buy a sledgehammer when you needed a nutcracker. Just ensure you start your journey to compliance now to ensure plenty of time to prepare.”
“There is lots of misunderstanding and false-certainties around the fines possible under GDPR legislation,” said Watts, who reminded the table that even under current data protection legislation, the Information Commissioner's Office has never dealt the fullest fine possible of £500,000, the highest fine to date having been given to TalkTalk at the sum of £400,000.
Watts says this is the most well-publicised issue associated with the GDPR, but one that has the most misconceptions around.
Interestingly, Ioannou who works for a firm of architects, says he spoke with a “compliance person” from a leading association in his industry to ask if there are any special things to watch out for under the GDPR to which Ioannou said, “They weren't quite sure what GDPR is”.
Watts went on to ‘bust' what he says is another myth amongst clients that he meets which is the rules around ‘consent' and sending people marketing emails. As with several recent high profile cases of charities being given huge fines for sending unsolicited marketing emails, naturally there is a tendency to err on the side of caution when it comes to marketing in the era of GDPR. But as above, Watts reminded the table that if companies are operating as expected now, not much should change under GDPR from this aspect – “The majority of emails are allowed,” he said.
Lesley Roe, data protection officer at the Institute of Engineering and Technology, said, “For me a lot of these issue are largely solved by great staff education. If they're good at knowing what the risks are, it cuts out a lot of our business risk.”
Francisco Yeo, head of information technology at Diabetes UK, takes a similar approach: “I look at removing risks from email by using DLP tools and bringing in policies which dictate what employees are and aren't allowed to send by email.”
Watts discussed the Right to be Forgotten, the section of the law which forces companies to delete information about individuals, which is afforded to consumers under GDPR. “This does exist,” said Watts, but “you only need to remove it should the data no longer be valid or applicable, old, or belong to a minor”. Watts says you are allowed to say no, and it is a fallacy you always have to say yes to these requests.
Glenn Brown, senior product manager at Mimecast asked Watts, "What do you do if a customer signs the contract for a system which does not allow them to be GDPR compliant, such as a legacy email system, as the company engaged its services before the GDPR comes in? Their hands are pretty much tied to it."
Watts advised that should this situation happen, companies must "prioritise which systems are to be updated based on "how useful it is, how business critical it is, its vendor, volume and shelf life."
Francisco Yeo, Tom Reeve and Mark Watts
Brian Shorten, chairman of the Charities Security Forum, said: “If you're doing the right thing now, I think we'll be OK. People will always find a way around restrictions, so we'll always need help from technology.”
Watts said that in the journey of becoming GDPR compliant, companies see new laws like the GDPR as a prompt, a “hump” to get over, where really it should be a constant trail of improvement, or as Watts describes it, “a steady incline”.
As Watts said, “I refuse to be selling funeral services”, and reminded the table that most things will “stay the same”.
The most important aspect of the GDPR is the accountability principle, the ideology of privacy by design, where a company ensures its policies, processes, training and controls are all watertight.
They would need to show they did everything in their power to protect customer data, and this would presumably then in turn mean that the ICO would not even reach fine level, as the company took adequate care of the information it was entrusted with.
“Focus on minimising threats”, Watts advised, adding, “and ensure you have a compliance programme which works.” Everyone from HR to marketing needs to be clear about the Dos and Don'ts.
Bruce Beadle, information security officer of ATCoreTec, added that when it comes to privacy policies and other company policies, it's important to ensure that staff do actually read policies which the business sets so there is smaller room for error.
Tim Lundberg, channel manager at Reed.co.uk, agreed: “Our sales team has a very high turnover of staff, and it's important to us that training of how to handle data is a constant thing.”
Watts said the biggest challenge for companies under the GDPR are subject access requests (SAR), where an employee would ask for all data the company holds on them. Watts warned that typically these take six weeks to turn over, and of course, with an unstructured data format like emails, the challenge here is “how to deliver it”. Often, emails will contain data that is not about the person making the SAR or may contain private company information, which the subject of the request is not entitled to.
The challenge then is combing through the emails and picking out only that data which is about the subject.
Another email challenge relates to Microsoft Office 365. Although Office 365 is an optimal product for business operations, with its features of backing up information to the Microsoft Cloud, Watts said it opens up companies to potential mishaps with data retention and transfer laws as the backups are kept in US-based clouds.
Watts cautioned companies against relying on the ‘human error' defence in the face of a data breach. He said organisations like the ICO don't believe in human error – they believe everything tracks back to business processes.
Hiten Vadukul, global solutions architect at Arup, believes it's worth being prepared for when the ICO does come knocking. But having said that, he added, “It's difficult to know what to show them.”
As part of closing remarks, Richard Starnes, chief security strategist for northern Europe at Capgemini said: “Overall there is lots of FUD around the GDPR, and companies should ensure they do things for the right reason. The implementation of the GDPR is no different to ISO 27001, it's a privacy framework.”
Reminding us there is still some way to go with the GDPR, however, Jeremy Lilley, programme manager for cloud, data, analytics, AI and intellectual property at techUK said: “We as an organisation are aware of the GDPR, but think the wider awareness outside of those in the industry is still quite low. This is something which could use a lot of work”.