Back to blog

GDPR compliance – are you overlooking the obvious?

Jun 10, 2016 by Romulo Melillo

Data protection is about to become center stage
If you’re a business working within – or trading with organisations based in – the EU, you’ll have had to be some kind of hermit to avoid all the noise about GDPR.

The aim of GDPR – the EU’s new General Data Protection Regulation – is to harmonize the current data protection laws across member states. Being a ‘regulation’ instead of a ‘directive’ means it will be directly applicable to all EU member states without a need for national implementing legislation.

GDPR is going to have a massive effect. There’s been much focus, for example, on the need to employ a data protection officer with responsibility for information security in any business with over 250 employees. There are some interesting legal concerns about how data needs to be routed in transit when entering or leaving the EU. And there’s the threat of massive, punitive fines for non-compliance.
[vc_column width=”1/4″][vc_column width=”3/4″]
Is your sensitive data under control?
It’s becoming apparent that GDPR appears likely to trigger a massive rise in security breach notifications. One commentator, Eduardo Ustara of international law firm Hogan Lovells, has suggested that the level of notification of breaches would likely move from about one in ten currently being reported to a need to report six in ten – which he suggests will have a big impact on how companies view their cyber-security structure. Iain Bourne of the UK Information Commissioner’s Office suggests that many will be surprised at the scale of breaches that get reported, which could also see a backlash from consumers demanding more action to protect their data.

Matt Villon, COO at the Cloud Security Alliance UK & Ireland, advises firms to “refresh your information asset register so it clearly identifies what data is held, where, how and why – this may need a rethink as it may not be so obvious.”

The fact is that too much data is unstructured, uncentralized and uncontrolled at present for organizations to be compliant. Yes, we all know about local users maintaining their own spreadsheets and address books outside the corporate system, and fixing that will be a challenge in itself. But there are also offline files generated by Outlook/Exchange to be located and eliminated. And then there are Microsoft Exchange Public folders, so often the information repository of choice. Have you really got essential data under control?

Better data protection isn’t just about GDPR
The European forum for chief information security officers working in practice, ClubCISO, has long pointed out that not enough attention and spend is being allocated to user security awareness and training. It expects to see a fundamental shift as organizations come under pressure from their boards to comply with GDPR.

In ClubCISO’s latest report, CISOs emphasize that although they are not yet ready for GDPR, it will be largely beneficial by formalizing and codifying the practices they need. Unlike the US, which tends to be more litigious, Europe has a ‘policy-heavy, enforcement-light’ approach for which the rules themselves will be helpful.

So complying with GDPR, when it’s finally in place within the next couple of years, really just means carrying out better and more effective security practices. That’s what organizations should be doing anyway, and many will achieve that by migrating vital data to robust and secure cloud platforms.

What data is important to you?
As noted above, aging on-premises Exchange Public folders can be a major headache. An industry standard for storing records essential to business process and communications for over 20 years, they can contain many terabytes of data, and critical items are bundled in with plenty of old, unwanted data.

With momentum toward Office 365 migration quickly gathering pace, there’s an option to move Public folders into Office 365; but with tenant limits and uncontrolled information storage, that’s simply not a practical answer for the heaviest users. The answer is Office 365 Groups. These closely match Public folder functionality and have enhanced features around document sharing, threaded conversations, shared calendars and OneNote notebooks, with access to task-based planning via the new Office 365 Planner application. You can access everything through a common portal with much improved reliability and stability.

If you’re considering this route, a migration like this offers a fantastic opportunity to clean up vital data and put it somewhere accessible and referenceable. But with so much information in your existing Public folders, the only practical way to achieve this is with a level of automation. You need to weed out what you don’t need, demonstrate why you chose to discard or archive certain items, and group items logically to enable better administration.

How Quadrotech can help
Our Advanced Data Analytics and Migration (ADAM) engine was developed to prevent businesses from losing value from the data they hold in Public folders. But by using it to support migration to Office 365 Groups, it can help you put critical information in one easily-manageable place.

It makes good sense from a data protection perspective. And it makes absolute sense when you’re considering how to prepare ahead of GDPR coming into force.

In a future blog we’ll look at the practicalities and how we should migrate public folder data in light of GDPR. In the meantime, you can find out more about ADAM here.