Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Move beyond your SEG with Tessian’s SEG Consolidation Wizard  | Generate Report Now →

Compliance

GDPR: 13 Most Asked Questions + Answers

Tuesday, March 15th, 2022

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

1. Who’s enforcing GDPR?

In May 2018, the GDPR came into force across the whole of the European Union. The GDPR applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement.

28 different countries will handle enforcement. That means Germany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade.

2. What are the penalties for non-compliance with GDPR?

Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregarded data privacy. The supervisory authority decides the fine’s amount based on the circumstances and the violation level.

3. What is a GDPR Data Processing Operation?

  • A data subject is the person about whom data is being collected.
  • The data controller is the person or organization that decides why personal data is held or used, and how it is held or used.
  • Any person or organization that holds or uses data on behalf of the data controller is a data processor.

The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach.

4. How does the GDPR handle this?

GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so.

5. What documentation do we need to prove that we’re GDPR compliant?

GDPR, compared to the Data Protection Act that it replaces, states there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller [i.e. your company] shall be responsible for, and be able to demonstrate compliance”.

It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions.

6. What are the data requirements for GDPR?

  • Data can only be processed for the reasons it was collected
  • Data must be accurate and kept up-to-date or else should be otherwise erased
  • Data must be stored such that a subject is identifiable no longer than necessary
  • Data must be processed securely

7. Is GDPR training mandatory for staff and management?

Anyone whose job involves processing personal data undertakes data protection and data handling training. This includes full-time staff, third-party contractors, temporary employees, and volunteers.

8. Does GDPR compliance differ based on the number of employees a company has?

GDPR doesn’t differentiate between the size of organizations.

9. What type of language should be included in a consent policy?

Check out the Tessian privacy policy, which shows you how detailed consent needs to be.

10. Is appointing a DPO mandatory?

GDPR requires appointing a DPO when an organization performs data processing on a large scale, processes certain types of data or processes data on an ongoing basis as opposed to a one-time process.

11. What happens if some data is processed outside the EU?

The GDPR allows for data transfers to countries deemed by the European Commission to provide an adequate level of personal data protection. In the absence, transfers are also allowed outside non-EU states under certain circumstances like standard contractual clauses or binding corporate rules.

12. Does GDPR affect US-based companies?

Any U.S. company that has a web presence and markets their products over the web will have to take notice. Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

13. If we are based in the US, have EU citizen data and experience a breach, who do we notify?

There are rules around what authority should be notified based on criteria like the situation, the organization and where the processing occurs.

How can Tessian make you GDPR Compliant?

Under GDPR, an organization is most likely to suffer a fine or penalty due to data loss through a misdirected email. Misdirected emails were the number one form of data loss reported to the Information Commissioner’s Office (ICO) in 2017. Some notable examples of penalties issued by the ICO for misaddressed emails include 56 Dean Street Clinic who were fined £180,000 for inadvertently disclosing the identities of HIV positive patients and also Dyfed-Powys Police who were fined £150,000 for inadvertently disclosing the identities of registered sex offenders to a member of the public.

 

GDPR forces organizations to report all personal data breaches to the appropriate governing body and maintain a register of these internally. Under GDPR, organizations have an obligation to report misdirected emails to the ICO and face fines of up to 4% of global turnover depending on the severity of the breach. Given that misdirected emails are the number one type of data security incident currently reported to the ICO, this should be of significant concern for all organizations in the transitioning years toward GDPR.

 

Tessian uses machine learning to automatically detect when emails are being sent to the wrong person, allowing organizations to both prevent information being sent to the wrong person and crucially, retain an audit log of warning messages shown to users when sending emails and the response that the user made on the warning that was shown.

 

The audit feature and preventative nature of Tessian align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).

 

Furthermore, with increasing numbers of firms adopting Tessian’s technology and their role in helping advising other companies in their transition to GDPR, simply relying on staff being as careful as possible and internal training, becomes an untenable posture when protecting personal data.