Why Archiving Will Matter Big Time for Successful GDPR Compliance

So where does one begin to enact compliance with the coming GDPR? According to the senior product manager at email security firm Mimecast, the first step begins with archiving.

GDPR.logo2

In exactly six months—May 25, 2018, to be precise—the European Union’s General Data Protection Regulation (GDPR) will come into effect. Businesses already are on a tight deadline to get their artificial intelligence and email applications ready for it.

The GDPR is all about artificial intelligence and the personal-information data that supplies it. Enterprises are increasingly deploying AI to gain better insights into customer needs and provide more personalized service, sales and marketing. But not all AI models are built with the levels of transparency they may need to fully understand how AI makes its decisions—a trait that’s particularly important in highly regulated industries.

While some opaque AI algorithms may drive powerful performance, the complex logic behind these so-called “black boxes’” can’t be fully explained—a tradeoff that becomes more problematic when the model causes unintended actions. To complicate all of this, the GDPR will mandate that businesses must be able to explain the logic behind AI models using European customer data to make decisions or risk massive fines up to 4 percent of global revenues for non-compliance.

This sweeping new regulation also affects everyday email. By its very nature, all email contains personal data, making it vulnerable to attacks (and especially noncompliance fines). Fortunately, architecting a security, privacy and governance solution for email can be fast and simple.

So where does one begin? According to Glenn Brown, senior product manager at email security firm Mimecast, the first step to aligning with GDPR begins with archiving. In this article, Brown explains to eWEEK readers about how organizations can ensure that their email archiving solutions are in top shape ahead of the GDPR deadline.

Data Point 1: Nobody is Off the Hook  

Does your organization offer any products or services to the EU market or collect data of EU residents to profile them? If so, it must comply with GDPR, regardless of whether or not it is actually headquartered in the EU. With GDPR, these organizations will be required to have full visibility of their data to support mandates such as “subject access requests” (SARs) and the “right to be forgotten.”

Data Point 2: Today’s Archiving Solutions Aren’t Built for GDPR

Organizations need quick and easy access to current and historical email as well as proven regulatory and legal compliance that depends on accurate retention. Effective search and retrieval of data is also important. Many organizations think email first-pass review is enough, but it’s not. While it is a vital component of e-discovery, admins are often competing against tight deadlines and other priorities. Casting too wide a net for searches leads to massive amounts of data that is often redundant or obsolete. First-pass review and fast search results cut costs significantly by finding data quickly and pairing down to exactly what you need.

Data Point 3: The Numbers Speak Volumes

According to a recent Vanson Bourne global survey commissioned by Mimecast, 88 percent of organizations say they’ve experienced problems with their existing archiving solution, 56 percent say they are plagued by slow search performance and 50 percent say searching archives takes at least five minutes (20 percent say it can take as long as 10 minutes).

Data Point 4: Businesses Need More Out of Their Archiving Solutions

Because of this, admins need to find a process that can quickly and accurately scan through archive data to avoid sanctions and/or enforcement action by supervisory authorities, resulting in significant monetary penalties and reputational damage. Be sure to take the following tips into consideration when evaluating your email archive solution.  

Data Point 5: Think About the Chains of Custody

Chains of custody, or audit trails, are necessary to keep track of who owns, controls, moves or accesses archived email. Knowing who created it, accessed and forwarded an email, for example, is the key to quickly identifying and recalling specific data when necessary.

Data Point 6: Grant Direct Access to Those Who Need It

Archiving solutions should make it simple for users to be granted authorization to directly access and retrieve data. Being able to share those files, whether it is via email, the web or mobile devices easily without altering them can also improve search capabilities, making them faster and more efficient.

Data Point 7: Coordinate, Coordinate, Coordinate (with Everyone)

Everyone is involved in the archive process. It’s not just on the IT department or the employee who created the file. Teams should collaborate to determine the value of the content, define it, determine its sensitivity and retention period and outline a plan of action for protection. If there isn’t enough communication, valuable information can easily become lost and take hours (and sometimes even days) to be found.

Data Point 8: Move It to the Cloud

On-premises solutions are not only costly, they are also time-consuming. Having to constantly update outdated hardware and expand capacity requires a lot of resources. Cloud-based solutions can help to eliminate the headache that comes with email archiving and provide a secure home for even the most sensitive information.

Data Point 9: Get Ready

With the GDPR deadline inching closer and closer, be sure to create a timeline and work backward with the various business units within your organization to ensure that you’re considering the things needed to be considered before GDPR becomes effective.  These tips will help to ensure that organizations are not only compliant but serve as a trusted and reliable source for customers, employees and business partners. 

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor of Features & Analysis at eWEEK, responsible in large part for the publication's coverage areas. In his 12 years and more than 3,900 stories at eWEEK, he...