GDPR should make life a lot easier in some ways. If you’re doing business in Europe, it makes sense to be dealing with a set of standard regulations rather than navigating through individual markets’ rules. But the penalties are going to be much tougher for companies that get it wrong.

I’d bet that most financial institutions – and they’ll be the ones under the most scrutiny – are going to have a pretty rough time getting ready for it.

The issue isn’t just how banks hold customer data within the organisation, or how they report a breach. We’ve known about that stuff for long enough that there’s no real excuse for getting it wrong.

The big issue in my mind is the impact on the data that gets sent every day bypassing corporate control.

I’m talking about IM.

Every day, millions of messages are sent over IM from some of the most security-conscious organisations in the world. It’s a great way to communicate urgent or time sensitive information. It’s the future, there’s no doubt about it.

But it’s inherently insecure. Your data sits on a server that you don’t control, in an environment that might adhere to different regulations. Your data might be split between the US and the EU, depending on which IM system you use. You don’t have access to that data, and as a result, you have no audit trail. It’s completely uncontrolled. Imagine the practicalities of having to pull together data from an IM trail if you have a data leak. Having to prove where that data was sent from, to, and where it ended up.

As I wrote last week, some banks are banning IM altogether to reduce the risk. I’m not surprised by that, but it’s not the long-term answer. IM isn’t going away as a communication method. What we should be doing is rethinking how to make it secure, and bring that data back under corporate control. The only way to do that, is to retain the data in an environment that sits in your jurisdiction, probably on your servers but certainly on servers that confirm to your security requirements.