Five examples of IT environments not meeting GDPR requirements

In connection with the introduction of the GDPR, you have probably received a steady stream of emails stating that companies you have been in contact with have now updated their privacy and cookie policies. But are all these companies really practically equipped to meet the requirements of the GDPR? At a glance, the technical underpinning required to bring policies in line with reality is often missing. So far, many businesses are only complying with the GDPR on paper...

Insufficient protection of mobile devices

One of the requirements of GDPR is that data on our mobile devices and computers needs to be encrypted. Encryption is today considered a standard measure to protect data and you should have an IT environment that offers the possibility to do so. On an unprotected computer, without encryption, you can simply reinstall the operating system and then read all the data on the disk. However, if your data is encrypted, no one can access the contents of the device without an encryption key.

In many IT environments, there is no way to centrally control company computers and mobile devices. If a device is lost or otherwise falls into the wrong hands, you cannot check whether the encryption is activated or activate the encryption remotely.

Of course, you can provide adequate protection for your data in other ways - if the devices are completely stationary, never leave the office premises and the premises also have strong physical intrusion protection. But today we live in a mobile world and if you can't remotely control your company's devices, as soon as they leave your premises they are exposed. By definition, you no longer meet the GDPR requirements for data protection.

Your emails are not encrypted

Email encryption is also something that many lack support for in their IT environments. If personal data is transmitted via email without encryption, it violates GDPR requirements because email is a relatively insecure way of communicating.

To comply with the requirements, you should therefore be able to set all emails to be encrypted. Alternatively, your email client needs to recognize whether your email contains personal data so that it is automatically encrypted for that reason. A third option is to do it manually every time you send an email.

Many email providers do not offer encryption protection and instead of using a third-party provider for encryption, an email service with integrated encryption functionality is preferable.

Audit logs - a prerequisite for comprehensive incident reporting

The GDPR places high demands on traceability and the ability to investigate any breaches or other types of incidents. This is a prerequisite for you to be able to report an incident correctly to the Swedish Data Protection Authority within 72 hours. To ensure comprehensive reporting, you therefore need an IT environment where you can track user activity through event logs.

In a hosted environment where your servers are hosted by an IT partner with a network that includes your data as well as other customers' data, it becomes difficult to obtain firewall logs. This is because your logs are indistinguishable from other customers' logs. This makes it difficult, if not impossible, to ensure a proper investigation of any incident.

Searchability facilitates requests for extracts and deletion of records

To effectively manage personal data requests for extraction or deletion of data, your systems must support searches of structured and unstructured data. For example, in a traditional IT environment, you may have a number of file system servers within your organization. You may also have a separate cloud service solution for file sharing to access data outside the workplace; Dropbox, for example. And then you have email - either on a local server or with another email provider.

Normally, you cannot search for information contained in your files on a server. The alternative is to manually go through, file by file, which is obviously too time-consuming. However, if there is a functioning ecosystem of different functions - documents, mail, chat and so on - you can do the search centrally and do not have to go through file by file, system by system.

Can you trust your employees to always delete old data?

The GDPR also requires the deletion of data that you no longer need within a certain period of time. This work can of course be done manually - you can, for example, require your employees to go in and clean out their inboxes or older documents at regular intervals.

The problem is that you can't ensure that it is actually done. The only way you can actually be sure that the data to be deleted is actually deleted is if you have an automated solution, with reminders, notifications and centrally managed deletion routines.

At WeSafe, we know what is required of your IT environment to meet the requirements of the GDPR. Want to know more about how we can help you ensure compliance in your business? Do not hesitate to contact us!

Inspiration and knowledge straight to your inbox

Sign up for our monthly inspirational newsletter that gives you tips, insights and advice on new ways of working, processes and security related to Microsoft 365, Azure and various tools in Microsoft's cloud platform.

Free security analysis of your Microsoft 365 environment

Get concrete and practical tips on how to better protect your organization.

Read more and book

Written by:

Marcus Juvin

Technical Lead - Security and Compliance

marcus.juvin@upheads.se