20 June 2018

44975

Retired Member

3,605Posts 14,075,174Views 4,486Comments

GDPR means taking a hard look at communications channels

13 February 2017  |  5749 views  |  0

GDPR should make life a lot easier in some ways. If you’re doing business in Europe, it makes sense to be dealing with a set of standard regulations rather than navigating through individual markets’ rules. But the penalties are going to be much tougher for companies that get it wrong.

I’d bet that most financial institutions – and they’ll be the ones under the most scrutiny – are going to have a pretty rough time getting ready for it.

The issue isn’t just how banks hold customer data within the organisation, or how they report a breach. We’ve known about that stuff for long enough that there’s no real excuse for getting it wrong.

The big issue in my mind is the impact on the data that gets sent every day bypassing corporate control.

I’m talking about IM.

Every day, millions of messages are sent over IM from some of the most security-conscious organisations in the world. It’s a great way to communicate urgent or time sensitive information. It’s the future, there’s no doubt about it.

But it’s inherently insecure. Your data sits on a server that you don’t control, in an environment that might adhere to different regulations. Your data might be split between the US and the EU, depending on which IM system you use. You don’t have access to that data, and as a result, you have no audit trail. It’s completely uncontrolled. Imagine the practicalities of having to pull together data from an IM trail if you have a data leak. Having to prove where that data was sent from, to, and where it ended up.

As I wrote last week, some banks are banning IM altogether to reduce the risk. I’m not surprised by that, but it’s not the long-term answer. IM isn’t going away as a communication method. What we should be doing is rethinking how to make it secure, and bring that data back under corporate control. The only way to do that, is to retain the data in an environment that sits in your jurisdiction, probably on your servers but certainly on servers that confirm to your security requirements.

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3587 posts4,486 comments
What Retired reads

Who's commenting on Retired's posts

Pooja Golakonda
Behzod Sabirov
Ketharaman Swaminathan
Melvin Haskins
James Treacher
Kenneth Marritt
Mark Santall
Alexander De Lange
Graham Seel
Kishore Meda
Willem Lambrechts