Understanding the impact of GDPR on communications

Many underestimate how broadly GDPR reaches and how complex it can be to manage.

While many understand the severe implications of the General Data Protection Regulation (GDPR), they underestimate how broadly it reaches and how complex it can be to manage, particularly when considering the multitude of data communication channels used today.

To date, most organisations protect personal data to the best of their ability. However, they don’t have the proper technology in place to understand where the data resides and the potential risks it is exposed to. To make matters more complicated, most businesses have antiquated systems in place to protect data that do not offer the level of protection required to comply with the GDPR. With the risk of hefty fines, businesses are now forced to reconsider their technology investments.

The regulations within the GDPR are not restricted to Europe, but any organisation that collects or processes personal data of European Union citizens. In today’s digital world, the chances are high that the majority of companies will eventually need to comply. Whether businesses take an ad hoc approach to recording communications data or a comprehensive archive of every interaction, sorting through the information, determining what data, if any, can be deleted, is no easy task.

To the consumer it might be an easy enough request to ask to be forgotten by an organisation. For a company ill-prepared, they’ll start to wish they’d never heard of that person in the first place. 

Dancing between channels

The way businesses communicate with customers, colleagues and partners nowadays has changed dramatically in recent times. Using a myriad of communications tools from social media and messaging apps to business focused collaboration software people switch across these channels as needs dictate. It might be to provide a more secure way of communicating or simply because the user switched to different devices during the day. However, while the channel may change, the topic of conversation often does not.

What started off as an ordinary post on Twitter, may have turned into a business transaction over email. A few months, or even a few years later, when an organisation receives a request under the GDPR to have someone’s details erased from its systems, including archived documents, how is it possible to figure out from a tweet what the outcome of the conversation was in order to determine if there is a legal obligation to keep the information? Or worse still, where it can be found?

Do you erase the data and hope for the best, or can you identify precisely how the conversation continued and deny the request, because you have an overriding obligation to keep the information? 

Piecing together conversations that happened over several channels, stored in different mediums and most likely using oblique user names can be time consuming. There are several reasons for this. Firstly, many traditional archives convert and retain all communications as emails. In addition, increasingly organisations are operating a multi-silo-archiving infrastructure to maintain different archives for separate parts of the business or types of communications. Typically, this results in multiple copies of the same data stored over and over again. 

In reconstructing conversations this creates a few issues, not only in administering, maintaining and de-duplicating content in multiple archives, but in being able to run the same search across all of them and then collating the results. Once again these are all usually email-based, which increases the complexity or the problem. 

Sympathetic to the content

Shoehorning the real-time communication tools of today into a legacy email format for long-term storage does not work. Enterprises need to be sympathetic to the content; understand what it is and preserve it in its native format. Only then will it be possible for the context or motivation behind a user’s post on Facebook or response to a comment on Instagram to be understood, or deliver an explanation as to why they switched from Skype for Business to LinkedIn InMail or SMS. 

By using contextual archiving of data communications organisations will be able to look through a single pane of glass onto all of its conversations and discover, not only the end to end story, but quickly too. Rather than just knowing that a tweet was sent at a certain time, with contextual archiving data controllers can see additional information including which other communication platforms were used by the person during the same time frame, and who they were interacting with. 

Equipped with far more information than just a date and time stamp, it is easier for data controllers to create a complete picture from which to make an accurate decision on whether or not they can erase someone from their systems. A fault tolerant content store that understands the different types of data being archived will allow organisations to move away from multiple email-based silos and maintain a single authentic copy of the data. This can then be referenced for use across the business for a variety of needs from eDiscovery and legal hold to GDPR. When a decision is made to erase information, a business can be certain that it has all versions of that data to hand, and therefore less silos to query. 

It might be a European Union regulation, but GDPR is just the beginning. Whether or not it affects your business immediately, it is highly likely that other government bodies around the world will start to implement similar regulations as consumer concerns over privacy grows. 

The consequences for not meeting the new GDPR mandate are severe. Businesses that fail to comply with the regulation can be fined up to $20 million, or 4 per cent of global revenues—a cost that makes the GDPR impossible to ignore.

The best defence against potentially astronomical fines is to be able to demonstrate that an enterprise has the appropriate policies and processes in place, and that they are backed by technology to enforce them. By considering now the changes required in policies and infrastructure to comply with the GDPR, or a similar styled legislation, businesses will be better prepared to address the no doubt more stringent privacy regulations likely to be implemented in the long term.

Robin Smith, Technical Director International for Actiance
Image source: Shutterstock/violetkaipa

ABOUT THE AUTHOR

Robin Smith, Technical Director International for Actiance, has over twenty years’ experience of security and compliance solutions within a wide range of networking and messaging systems.