Blog | Vade

Email and the GDPR: threats, rights and obligations

Written by Adrien Gendre | June 27, 2018

At the crossroads of many uses within the company and the leading vector of cyber-attacks, email is subject to numerous regulations and sensitive practices. These include the General Data Protection Regulation (GDPR) which went into effect May 25, 2018.

Email is electronic mail, a message written by one person and destined to another person, which transits through a mail server to a second mail server via a computer network.

This simplified definition of email is sufficient to raise the security problem of this communication process which holds two records: that of being the most highly used means for communicating in business, and that of being the most threatened and threatening, since email is today the primary vector of attack used by hackers (1).

Cybersecurity adapted to the GDPR

Email must therefore be placed in the center of the organization's cybersecurity strategy, because it is vital for communication internally and externally, that it is a personal tool that concerns all employees and extends over all the individuals that make up the company's ecosystem, and that it is the target of hackers who seek to attack the company to destroy or steal data. Messaging must in particular be protected from phishing and spear-phishing abuses or from malware introduced for industrial espionage, which is any technique that seeks to steal data for fraudulent purposes.

In parallel with this context of protecting data against cybercrime comes the addition of new rules concerning personal data protection with GDPR. Since May 25, 2018, any European company, or any company that exchanges with European Community citizens, is subject to the GDPR European Regulation. In particular, this requires the company to protect the personal data it holds in its databases, whether data of customers, suppliers, employees or any person with which it has relations. It also defines two concepts to which companies must now adhere to: "Privacy by Design" (any new process must be designed through the lens of cybersecurity), and "Privacy by Default" (any stored data must first have been at least anonymized, that is, not permitting the formal identification of a person).

This means that companies must put in place the means to protect personal data they hold and ensure that it will not be used outside the context for which it was collected, nor to disseminate it to third parties without the informed consent of the persons concerned.

In this new regulatory framework, the company must therefore prove that it has taken appropriate measures to ensure that the data it holds is not at risk of being hacked. Hence the need to protect the main gateway to data piracy, namely email. This is even more essential for companies that use cloud-based platforms such as G Suite or Office 365. Establishment of solutions to protect against cybercrime, and in particular to protect messaging, is therefore fully adapted to this new context and provides evidence of compliance with the GDPR.

 

Protecting your emails to be in compliance with the GDPR: 4 key elements

By protecting its messaging, i.e., the flow of emails received, sent and also exchanged within the company, there is a response to the legislator's requirement concerning the guarantee of personal data protection. More specifically, protecting your emails has an effect on the different elements required by the legislator: protecting data, tracing data and restricting access, guarding against data leakage, and finally managing user identities.

Protecting data
Setting up a solution for protecting emails permits blocking all attack attempts, whether malware, phishing or spear phishing, and therefore prevents isolated or bulk theft of data. The important thing is to have a solution that allows blocking of not just known threats, but also unknown threats, and therefore have protection against zero-day attacks (attacks that exploit weaknesses that have not yet been revealed and documented). In terms of security, a single successful attack can have major consequences! Solutions such as ours, based on heuristic filtering and machine learning algorithms, block these new attacks, unlike solutions that use traditional technologies based on signature or IP address reputation.

Tracing data and restricting access
Traceability is ensured by filter logs for emails, event logs, and accurate statistics over long periods of time. Statistics are based on the deployment of data consumption measures (data life span, suppression and migration workflow, access control, etc.).

Guarding against data leakage
To protect against data leakage, users must be sensitized and at the same time it is necessary to have effective protection solutions, in particular against phishing and spear phishing.
Raising awareness and vigilance must be at the heart of securing data since users are the leading target of attacks and considered by hackers to be the weak link. So it is the users that they try to deceive to cross the company's defensive barriers and gain access to the data.

Guarding against data leakage also means having a solution for email protection that is able to detect this type of threat and block any attack aimed at stealing data. It must, for example, provide an analysis of links present in the emails, including the moment when they are clicked (anti-phishing), or proposing specific protection against identity theft and data theft (anti-spear phishing).

Managing user identities
Authentication is a key factor in protecting individuals and the company, the need for which goes well beyond email. In terms of email protection, it must be able to rely on per-user filtering rules (especially to detect the targeted attacks of spear phishing), and authentication for access to each quarantine user.

 

Review of the main rights associated with the GDPR:

  • Right of access: Knowing where and for what purpose data is used. Possibility of freely obtaining an electronic copy of data.
  • Right to limitation of treatment: Right to request limitation of treatment if there is a doubt about the accuracy of data, the lawfulness or the necessity for treatment.
  • Right of correction: Right to request correction of inaccurate or incomplete personal data.
  • Right of erasure: Personal data must be deleted and treatment and dissemination stopped.
  • Right to object: Consent must be clearly expressed and it must be possible to withdraw it as easily as it was given.
  • Right to portability of data: Right to receive personal data previously provided to a machine and to transmit it to another organization.

The company will strive to respect these rights –GDPR is based on the approach, that is, the willingness displayed in the factual protection of personal data – and for this it is subject to the GDPR's obligations.

 

Review of main obligations:

  • Privacy by design and by default: Data must be protected by default as soon as it is designed and on each use. The company can only retain necessary data and restrict access to the persons who process the data.
  • Keeping a register of treatments: All the requirements and treatments of personal data must be registered.
  • Appointing a DPO (Data Protection Officer): A DPO (Data Protection Officer) must be assigned for public organizations and those whose basic activity leads them to handle "sensitive" data (Art. 37).
  • Informing in case of incident: It is mandatory to inform the persons concerned (whose data are on file) of faults likely to lead to a risk for the data, within 72 hours.

 

1 - Dark Reading: The Impact of a Security Breach 2017 survey