21 October 2017

44975

Retired Member

3,171Posts 11,355,234Views 3,408Comments

GDPR means taking a hard look at communications channels

13 February 2017  |  5490 views  |  0

GDPR should make life a lot easier in some ways. If you’re doing business in Europe, it makes sense to be dealing with a set of standard regulations rather than navigating through individual markets’ rules. But the penalties are going to be much tougher for companies that get it wrong.

I’d bet that most financial institutions – and they’ll be the ones under the most scrutiny – are going to have a pretty rough time getting ready for it.

The issue isn’t just how banks hold customer data within the organisation, or how they report a breach. We’ve known about that stuff for long enough that there’s no real excuse for getting it wrong.

The big issue in my mind is the impact on the data that gets sent every day bypassing corporate control.

I’m talking about IM.

Every day, millions of messages are sent over IM from some of the most security-conscious organisations in the world. It’s a great way to communicate urgent or time sensitive information. It’s the future, there’s no doubt about it.

But it’s inherently insecure. Your data sits on a server that you don’t control, in an environment that might adhere to different regulations. Your data might be split between the US and the EU, depending on which IM system you use. You don’t have access to that data, and as a result, you have no audit trail. It’s completely uncontrolled. Imagine the practicalities of having to pull together data from an IM trail if you have a data leak. Having to prove where that data was sent from, to, and where it ended up.

As I wrote last week, some banks are banning IM altogether to reduce the risk. I’m not surprised by that, but it’s not the long-term answer. IM isn’t going away as a communication method. What we should be doing is rethinking how to make it secure, and bring that data back under corporate control. The only way to do that, is to retain the data in an environment that sits in your jurisdiction, probably on your servers but certainly on servers that confirm to your security requirements.

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3119 posts3,408 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Dharmesh Mistry
Nicola Cowburn
Michael Wright
Charmaine Oak
Francis Chlarie
Raymond Lee
Deepthi Rajan
Melvin Haskins
João Bohner
Bob Lyddon