Email Security

    What You Need to Know About GDPR Today

    Breaking Down What GDPR Means for Organizations Over Six Years Later

    by Emily Schwenke

    Key Points

    • Even though GDPR went into effect in May 2018, as recently as the end of 2022, 91 percent of companies were still not full prepared to comply.
    • There are the six things organizations need to know in order to get started working towards GDPR compliance.
    • Mimecast continues to stand ready to help organizations meet some of the needed GDPR data requirements. 

    The European Union’s General Data Protection Regulation (GDPR) became enforceable in May 2018, yet compliance remains a challenge for many organizations. Despite significant efforts, a December 2022 report found that 91 percent of companies were still not fully compliant.

    To address this, Mimecast has compiled key information and updates on GDPR compliance, dispelling myths and providing actionable guidance. Below, we break down six critical areas of focus for organizations navigating GDPR requirements today.

    1. Our organization is in the U.S., so GDPR doesn’t apply to us.

    This remains the biggest misconception about GDPR for American companies. GDPR doesn’t apply based on the geography of your enterprise. Rather, the data regulation is based on the location of your users or customers. So, if you exchange emails with EU residents or have site visitors, customers, users, etc., who reside there, you must still comply with GDPR regulations. Read the full text of the GDPR regulation. And if you don’t take adequate measures and something goes wrong, you may be subjected to hefty fines.

    2. What is “personal data” anyway?

    GDPR broadly defines “personal data” as “any information relating to an identified or identifiable natural person.” Examples include:

    • Name
    • Identification numbers
    • Location data
    • Physical, genetic and mental information
    • Cultural and social data

    Previously collected personal data that’s been completely anonymized and cannot be re-identified to an individual is excluded.

    “Children merit specific protection,” the regulation’s authors wrote, “as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data.” Specific protections apply to organizations using minors’ personal information for marketing, creating personality or user profiles, or offering services/products directly to young people. 

    GDPR strengthens data security with new permissions for gathering, accessing and using all this personal data, too. Organizations need to post their policy for data collection and use simple language and enable affirmative or express consent. Article 4(11) states that consent must be “by a statement or by a clear affirmative action”, and prohibits making consent a condition of participation.

    3. We’ve never had a data breach before, so we'll be fine.

    Organizations of all types and sizes are being continually targeted by cybercriminals. Organizations that have never experienced a data breach are few and far between. Rest assured that if you hold valuable data – personal data, IP, customer data and others – you are a target, and it is only a matter of time before you experience a successful data breach.

    And it is not just businesses that are at risk. Nonprofits, healthcare organizations, and educational institutions including K-12 school districts, colleges, and universities are also targets. Learn more about data breach prevention.

    4. Our email is secure enough.

    Email remains the number-one attack vector with over 90% of attacks – and emails frequently include a massive amount of personal data. Email was never built to be inherently secure, therefore, it’s a weak link and open to exploit. Email security is key, but this protection must go beyond spam and virus controls.

    Ultimately, whether or not organizations invest in GDPR compliance comes down to risk. The key criterion is to determine what the potential fallout would be if the worst does happen – a breach is suffered and personal data is stolen. What would it cost to clean up versus protect against in the first place? Can organizations put a price on the reputational damage that will occur? What impact will that have on business operations and finances? Understanding your cyber resilience capability is critical.

    5. What do we really need to lock down?

    Because GDPR focuses on the protection of personal data, and not just data privacy, compliance requires a more concerted effort.

    Organizations must be able to:

    • Demonstrate GDPR compliance across organizational and technological operations, including specific requirements for data processors and data controllers (see Articles 24 and 28).
    • Establish a legal basis for processing personal data, based on six categories outlined in Article 6. Organiztions must be able to defend the processing and be able to comply with any request to stop processing when consent is withdrawn or was found to never have been given.
    • Produce a record of processing activities. Article 30 requires that processors and controllers must be able to document how each piece of data was processed, including how and why it was processed, who sees the data after processing, and more.
    • Announce breaches within 72 hours of discovering them, except in a handful of exempt situations outlined in Article 33 of the data protection act. Requirements for alerting affected individuals are listed in Article 34.
    • Appoint a data protection officer. Organizations that process personal data and/or sensitive personal data on a regular and systematic basis must have a designated professional in charge of data protection. See Articles 37-39 for details.

    6. How do we begin?

    The challenge is putting in the right processes and technology to protect and manage personal data when budget and IT skills and resources are generally tighter than ever before.

    Because email is an easy target, email security is a good starting point. Your plan must include advanced protection against email security threats like ransomware and impersonation attacks, which use malicious links designed to steal credentials, weaponized attachments to drop malware behind the firewall, or deploy social engineering to trick targets into divulging sensitive data. Organizations should deploy a cloud email service that updates automatically based on new threats.

    Organizations also need to look at their email archives, since GDPR has requirements for locating personal information quickly. Once found, data must be easy to export and even delete if requested. Cloud archiving provides the scale and speed needed to deliver on these requirements. A native cloud solution designed for speed, accuracy, and ease of access is key.

    By implementing the right tools and strategies, organizations can address GDPR requirements, reduce compliance risks, and protect personal data. Mimecast is here to help with solutions designed to support GDPR compliance and safeguard sensitive data.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top