Today’s the day! 25 May has finally arrived. The European Union’s General Data Protection Regulation (GDPR) comes into effect today and we can all sit back and relax in the knowledge that we’ve done our research, taken advice from GDPR experts, redrafted our policies, reviewed our internal processes, sanity-checked our marketing processes and trained our internal teams. Right?
Wrong. GDPR is not something you can relax about, even if you have followed the recommended protocols. With fines of up to 20 million Euros (or 4% of worldwide revenue), this is arguably the most important change in data privacy regulation in 25 years and anyone who does digital business in (or with anyone in) Europe will need to remain vigilant – in every part of their business – from this day forward.
In the weeks leading up to GDPR-Day, we’ve been fielding enquiries from telcos and service providers who are shopping around for GDPR compliant email providers. Some have admitted they should have started enquiries earlier. Some thought GDPR wouldn’t apply to them. And some were told by their current email service providers that they would be GDPR compliant, only to be faced with the harsh reality that the deadline has arrived and their current email providers are neither compliant nor scheduled to be compliant anytime soon.
So, the big question today is… is your email hosting provider GDPR compliant?
If not, how long are you willing to bet your whole business on a non-compliant email services provider?
What is GDPR?
“The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.” Source
Two key articles (in the 261-page GDPR document of 99 Articles) include:
- Article 5
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
- The controller shall be responsible for, and be able to demonstrate, compliance
- Article 24
- The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
What is defined as personal data?
Article 4 defines personal data as “any information related to an identified or identifiable natural person, either direct or indirect”. Examples include:
- First and last name (combined)
- Bank account details
- Personal email addresses/emails
- Home address
- Media Access Control (MAC) address
- Credit card details
- Financial records
- Biometric data
- IP address
- Data/place of birth
- (Internet) Cookies
Why should telcos and service providers be concerned?
For consumers, GDPR was designed as a good thing: to give EU citizens more control over how their personal data is used. But for businesses, GDPR represents both an opportunity and a threat.
The opportunity is that, with a “simpler, clearer, legal framework” in which to operate, businesses can better know how to protect their customers, so they can proceed to tidy up their current processes and better protect (and attract) valuable customers.
The threat is that if businesses do not comply, they run the risk of both losing valuable customers and/or being fined for breaching the rules. A first tier fine (for not enacting data protection by design and/or failing to keep adequate records) can potentially hit you with a crippling 20 million Euro fine (or 4% of worldwide revenue). A second tier fine (for administration, process and “minor” offences) can still set you back up to 10 million Euros (or 2% of worldwide revenue). And if that’s not concerning enough, you may be fined not just for breaches on your part, but for breaches on the part of any of the providers who control data for you.
Is atmail committed to GDPR compliance?
What has atmail done to be GDPR compliant?
- In addition to extensive GDPR research, we engaged an experienced GDPR legal expert for professional advice
- We conducted a comprehensive GDPR audit and gap assessment (which included the analysis of our systems and services data flows)
- Following the gap assessment, we created an internal working committee and roadmap to help us achieve GDPR compliance
- We improved our data and privacy policies so that they are more clear, concise and transparent about how we process personal data
- We improved our Terms of Service (and our End User Agreement) and created a prompt for all current customers to review and accept the new terms upon next account login
- We created a GDPR Data Request Form, whereby current customers can:
- Request a copy of their personal data
- Request atmail to forget their personal data
- Transfer personal data to a different company
- View/correct/update their personal data and/or financial details
- We updated our personal data breach policy in line with GDPR requirements
- We reviewed our current mail lists and requested new opt-ins as necessary
- We established a reporting structure and responsibility chart for GDPR governance, with our CEO to deliver a regular reporting item to our atmail Board of Directors
- We’ve educated our team members about GDPR
- We have reviewed our key third-party vendors to make sure we have the appropriate contractual protections in place that satisfy both GDPR and customer requirements
- We have made (and are currently finalising more) modifications to our products (and services) to strengthen security and we have increased our commitment to security by design
How does GDPR relate to security by design?
Security by design is an approach to software engineering whereby software is designed from the ground up to be as secure and free of vulnerabilities as possible. The model contrasts with the typical hit-and-miss strategy of security patch upon security patch to salvage existing software.
GDPR specifies security by design, so, now more than ever, software businesses need to ensure they are planning security into their development upfront, rather than as an afterthought. If they don’t, they risk releasing software that may not be fully compliant with GDPR’s strict security requirements – which puts both them and their customers at risk.
Got questions about our GDPR compliance?
For atmail customers (both on-premises and hosted email) and prospective customers who would like to ask questions about our commitment to GDPR compliance, please reach out directly to Glen Lynden, our Director of Service Delivery, who would be more than happy to help, via firstname.lastname@example.org.
To visit our main GDPR page (and read our GDPR FAQs), please click here.
To talk to our sales team about GDPR compliant email, please contact us here.
Disclaimer: The intention of this post is share atmail’s commitment to GDPR compliance. It is not intended to offer GDPR advice. Please seek your own legal advice with relation to GDPR.