After much hype and debate, GDPR (General Data Protection Regulation) will come into force exactly seven months from today, with its repercussions predicted to stretch far and wide. It’s the most important change in data privacy regulation in 25 years and anyone who does digital business in (or with anyone in) Europe will be affected.
Non-compliance is risky, with fines that could wipe out an entire business, regardless of which stage you sit in the digital business chain. This means that you need to be smart about not only your own business, but with whom your business partners (especially who you choose as your trusted email hosting partner, if you provide email to your customers), so you don’t risk a fine for a data breach caused by one of your providers.
For this reason, we wanted to assure atmail customers (and prospective customers) that yes, we are investing in GDPR compliance (as seem to be some of our peers in the email hosting space, such as Open-Xchange, IceWarp and ProtonMail) and yes, we are on track to be compliant by the deadline, 25 May 2018.
Update: 25 May 2018:
New updates page: atmail’s new GDPR hub
New blog post: Is Your Email Provide GDPR Compliant?
What is GDPR?
“The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.” Source
Two key articles (in the 261-page GDPR document of 99 Articles) include:
- Article 5
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
- The controller shall be responsible for, and be able to demonstrate, compliance
- Article 24
- The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
What is defined as personal data?
Article 4 defines personal data as “any information related to an identified or identifiable natural person, either direct or indirect”. Examples include:
- First and last name (combined)
- Bank account details
- Personal email addresses/emails
- Home address
- Media Access Control (MAC) address
- Credit card details
- Financial records
- Biometric data
- IP address
- Data/place of birth
- (Internet) Cookies
Why should businesses be scared?
On the upside, GDPR was designed to give EU citizens more control over how their personal data is used and to give businesses a simpler, clearer, legal framework in which to operate. But on the downside, it brings with it a huge threat of business insolvency for any business caught breaching the rules.
Two tiers of fines have been outlined so far. A first tier fine (for not enacting data protection by design and/or failing to keep adequate records) can potentially hit you with a whopping 20 million Euro fine (or 4% of worldwide revenue). A second tier fine (for administration, process and “minor” offences) can set you back a “minor” 10 million Euros (or 2% of worldwide revenue).
Remember, you may be fined not just for breaches on your part, but for breaches on the part of any of the providers who control data for you. This makes the YouGov research (commissioned by UK law firm Irwin Mitchell) very concerning. They surveyed 2,000 senior business decision makers (maybe some of the people you do business with?) to assess how ready they were for GDPR and found that:
- 62 percent said they had not heard of GDPR;
- 71 percent were not aware of the severity of the fines; and
- 74 percent were not confident that they would be able to detect a data breach at all.
How much does GDPR advice cost?
Given it’s serious nature, most smart businesses (who want to stay in business) have needed to contract legal expertise to help them navigate the minefield that is GDPR. Law firms, some of which who have been working on this for many years, are thankfully on call to help, but at a price. GDPR lawyers are busy and in demand with the looming 25 May 2018 deadline, so that means that any lawyer worth their salt is not cheap.
To give you an idea of costs, when we contracted a GDPR advisory firm to advise our email solutions business, we found that our quotes varied from 30,000 to 75,000 Euros for initial assistance. Plus, on top of that, we were instructed to factor in annual recurring advisory fees, which ranged from 20,000 – 52,000 Euros, as well as the unknown cost of potential court fees, should we have to one day fight a case in court. Not exactly pocket change – and they don’t come with a Domino’s guarantee that if they get it wrong, you’ll get your GDPR assistance for free.
How much does GDPR compliance cost?
In addition to advisory fees (namely for initial GDPR gap analysis, Privacy Impact Assessment (PIA), security assessment and general advice), a business also needs to internal costs to: make any necessary business process changes; monitor GDPR regulations and updates; monitor possible data breach issues; and potentially employ a dedicated Data Processing Officer (DPO).
How does GDPR relate to security by design?
Security by design is an approach to software engineering whereby software is designed from the ground up to be as secure and free of vulnerabilities as possible. The model contrasts with the typical hit-and-miss strategy of security patch upon security patch to salvage existing software.
GDPR relates to security by design because now, more than ever, software businesses need to ensure they are planning security into their development upfront, rather than as an afterthought. If they don’t, they risk releasing software that may not be fully compliant with GDPR’s strict security requirements – which puts both them and their customers at risk.
Got questions about our GDPR compliance?
We value your privacy and that of your customers, so we are committed to GDPR compliance.
For atmail customers (both on-premises and hosted email) and prospective customers who would like to ask questions about our commitment to GDPR compliance, please reach out directly to our Glen Lynden, our Director of Service Delivery, who would be more than happy to help.
Disclaimer: The intention of this post is assert atmail’s commitment to GDPR compliance. It is not intended to offer GDPR advice. Please seek your own legal advice with relation to GDPR.
Bonus: GDPR survey results
To download the 19-page summary report from Irwin Mitchell’s GDPR survey, please visit this page on their site.
Irwin Mitchell GDPR survey results