Posted on

6 Ways Your Marketing Is Breaching GDPR

Marketing breaching GDPR is a real issue! The General Data Protection Regulation (GDPR) has had a profound impact on how businesses communicate with prospects and customers, and how they conduct their marketing. There are still businesses that believe that once users consent to their marketing campaigns, they can use the gathered personal data however they want.

But this can get you in a world of trouble!

GDPR is much more complex than getting consent from visitors and users. While many news outlets have placed emphasis on how consent is handled, it’s actually about the way businesses handle and protect personal data, what they use it for, and how they seek permission to use it.
GDPR is not a directive – it’s a regulation, and it’s legally binding. Companies could easily breach GDPR with their marketing efforts, and here the 6 common ways it can happen:

#1 Contacting people without active consent

GDPR regulates consent in extensive detail, and according to their regulations, consent must offer real choice, and users have to be in charge! It needs to be prominent, and users should have no issues understanding it. It should also be always requested on its own, not as part of any terms or conditions.

The only valid consent according to GDPR is a positive opt-in and requires you to disclose any third-parties that rely on that consent. You should also provide an easy way to withdraw consent.

#2 Automatic opt-ins

Automatic opt-ins were a common method to trick users who weren’t paying attention to consent. Such tactics are considered predatory and are considered marketing breaching GDPR tactics. Any tick boxes that are pre-ticked or say “click to opt OUT” are a huge breach.

Remember: The only type of consent accepted under GDPR is a positive opt-in.

#3 Poor lead lists and storage

Where are you storing your lead lists? While it’s very convenient to have them readily available on a shared Google Drive or OneDrive document, that’s a very poor practice and definitely a GDPR breach if you have the link set to public for sharing.

Your leads list should be secured and encrypted, and shared only on a need-to-know basis.

How long you keep the information is also important. Under GDPR’s data minimisation principle, holding information for too long is a marketing GDPR breach, so it’s important to delete it as soon as you don’t need it.

#4 Obtaining lists without confirmation of consent

One way marketers fill up their sales pipeline is with purchased lead lists. There’s a lot of third-party lead generator sites that are willing to sell lists to you. But you have to be careful when buying lists.

If these generators don’t have active consent from users on distributing their data to other parties, then YOU will be the one who’s breaching GDPR as soon as you contact those prospects.

You always need to have proof that they consented to be contacted by you, whether they gave the consent to you directly, or through third parties.

#5 Ignoring erasure requests

Users who have given consent to collect and process their data have the freedom to withdraw that request at any time. They can also request that you delete all the data that you have gathered on them. Not answering those requests is considered marketing breaching GDPR.

Do you know how to erase data? Do you know how much time you have to get back to them once they send a request?

GDPR states that you must act within a month of receiving the request, but there are also instances where you can extend response times; for example, when the user made multiple requests or in case the request is very complex.

#6 Accidentally sharing email addresses

Accidentally sharing any personal information is considered a breach under GDPR.

Surprisingly, emails are a very common reason behind a data breach. Emails that are sent to the wrong recipient are the most common mistake, as well as emails with unprotected attachments.  

An accidental data breach is still a data breach, so make sure your emails are secured and encrypted. This way, even if they are accidentally sent to wrong recipients.

Update: The ICO is sharing more and more information on specific circumstances and it’s interesting to note that a business email is protected under GDPR IF it contacts the ability to identify someone properly. The most common way is: [email protected] so with that in mind you should be wary about contacting businesses as well! Check out this page by the ICO about marketing to businesses here: https://ico.org.uk/for-organisations/in-your-sector/marketing/the-rules-around-business-to-business-marketing-the-gdpr-and-pecr/

For more information on GDPR email compliance, check out the 5 ways your emails could be breaching GDPR HERE >>> https://towerwatchtech.com/5-ways-your-emails-could-breach-gdpr/

Have more questions? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on

How to Hold an Azure Information Protection Staff Training

How to Hold an Azure Information Protection Staff Training feature image

In light of the latest data security climate, where a risk of a breach is higher than ever, it is of utmost importance to keep valuable data safe. Microsoft’s Azure Information Protection (AIP) helps in achieving this goal and it’s the solution we recommend.

Particularly when you consider that the UK average cost of a data breach is close to £2.87 million ($3.68 million) according to a recent report from the Ponemon Institute.

Azure Information Protection is a cloud-based data protection solution that keeps data safe through advanced encryption, identity, and authorisation policies.

But. 

Adopting AIP isn’t enough – you need to train your staff on how to use it properly. Newly accepted regulations like the EU General Data Protection Regulation (GDPR), combined with concerns about what awaits the UK in terms of free data flow after Brexit, make data security an important aspect to every company, so it makes sense to invest into Azure Information Protection staff training.

Ensuring Your Employees Are ‘On Board’

Change is something many employees are not fond of, so getting them on board with Azure Information Protection Staff Training is the first thing to do before you begin with implementation and actual training.

When your employees are educated on GDPR and data breach consequences, they will become more engaged in Azure Information Protection staff training. Not being compliant and risking a breach could cost them their job because many businesses that suffer a major data breach never recover. 

But, how do you do hold Azure Information Protection Staff Training?

Step #1 Educate on the Risks

Start by making your staff aware of the dangers of security breaches and just how little it takes for one to occur if data protection is lacking.

Step #2 Explain Their Role in Compliance & Data Protection 

Many employees are not aware of just how important they actually are in keeping data safe. Start by explaining their role in the company security and compliance. Explain that whenever they send data – be it email or access to a folder – to somebody inside or outside of the company, it can be a security risk. The risk here is that often there are no resources that would monitor or restrict misuse of that shared data.

The most recent statistics included in IBM’s Cost of a Data Breach Report show that a staggering 27% of all data breaches that happened was caused by a human error – in other words, employee negligence was the cause.

Think about the following scenario: You are sending sensitive financial data to an outside partner. The partner is negligent and sends this confidential data to parties that should not have access to it. This constitutes a data breach.

A data breach has serious consequences far beyond actual financial costs including:

  • Hacking
  • Downtime
  • Loss of customers
  • Loss of personally identifiable information (PII) from customers and employees
  • Loss of intellectual property
  • Loss of financial information
  • Breach of data protection laws
  • Legal fines and claims
  • Reputation damage

Step #3 Show Why Azure Information Protection is the Solution 

Proper training will help reduce the risk of a data breach as a result of human error. Before you fully implement AIP, ensure your staff become familiar with all the features and that each department knows how to utilise its full potential. 

Explain how Azure Information Protection works and how, when integrated, in the organisation it can help on an operational level. 

Step #4 Show off Features They Can Use

During Azure Information Protection staff training, the focus should be on providing specific and detailed guidelines to each department. Present all the important features that AIP offers:

  • You Can Classify Your Data – AIP helps classify and label data based on how sensitive it is through a system of labels that automatically protect it once applied.
  • 24/7 Protection – Once you classify data and protect it, it stays protected. AIP follows data and ensures it’s protected even when shared outside of your organisation or stored on an external device.
  • Track Data and Revoke Access  – AIP helps you track what is happening to data you have shared, and in case it’s needed, you can easily revoke access.
  • Log and Report Support Compliance – Get access to powerful features that help analyse and monitor usage of data. The reporting feature helps maintain compliance with rules and regulations.
  • Safe Collaboration – Thanks to labeling and classification, you have complete control over who has access to data and how they can interact with it.
  • Microsoft Office Integration – AIP is integrated into MS Office so you can secure any document with a single click as well as automatically in the background. 
  • Easy to Manage and Deploy – AIP works in the cloud and on-site equipment too.

Step #5 Make it Specific

Once done, provide each department with detailed guidelines and best practices for using AIP specifically for them. For example, teach your finance department staff on how to use AIP features like the Do Not Forward Button or Sensitivity Bar, or your marketing department on how to apply AIP labels and send data to external partners.

If you want to make your AIP staff training easier, we’ve created an Azure Information Protection Staff Training Course on The TowerWatch Academy.

Posted on

How Azure Information Protection Can Be Used in GDPR Email Compliance

Today, businesses make data-driven decisions in order to have a competitive edge. If your business deals with personal data from customers, it is required to be compliant with EU’s General Data Protection Regulation (GDPR) requirements this means disclosing how it handles data and ensuring that data remains safe.

Why You Should Use Azure Information Protection for GDPR Emails

Sending sensitive data internally or to recipients outside your company carries a certain risk. Every email you send could lead to a disclosure of sensitive data, which constitutes a breach of GDPR. Therefore, investing in the protection of emails and files that are sent is crucial.

Azure Information Protection help keep your emails safe through advanced encryption and protects data at a file level with any attachments you might share too.

It’s a great solution that we recommend to our clients and one we can deploy seamlessly.

While GDPR email compliance may seem like just another regulatory hassle, it is actually an opportunity to invest into your company’s digital security. The most recent data from the Ponemon Institute shows that the global cost of a data breach is increasing steadily, and in 2018, it has reached $3.86 million.

If that’s not enough to convince you, why not use IBM’s data breach cost calculator and see what yours could actually cost.

The Latest Data Breach Report Shows a Troubling Trend

A data breach carries serious consequences, and every business operation will suffer financial, sales, marketing, safety, you name it. The 2018 Cost of a Data Breach Study states there are three main causes of a data breach, with percentages of attack globally being:

  • Malicious or criminal attack the main reason for 48% of all breaches
  • System malfunction the cause of 25% of all breaches
  • Human error the cause of 27% of all breaches

The report shows that human error was the reason behind a data breach more often than a system malfunction was, while malicious and criminal attack took first place.

Note: It’s important to state that human error only includes insiders who were careless, while malicious attacks also include insiders, third parties, and contractors who caused a data breach intentionally.

In the UK specifically, malicious and criminal attacks were the reason of 50% of all breaches, human error was behind 26%, with system glitch causing only 24% of all data breaches.

This means as high as:

 76% of all GDPR breaches in the UK can be caused by either negligence or malicious intent.

Which can be vastly reduced when using a file or email encryption like Azure’s Information Protection

How AIP for GDPR Emails Keeps You Compliant

Azure Information Protection (AIP) is a cloud-based service that allows you to protect any sensitive and confidential data through encryption. You can protect local data you keep on your devices or data that you store in the cloud. When you send that data outside of your company, the encryption remains in place because it’s active at a file-level.

This means that even if you’re compromised, documents that are recovered cannot be read or unencrypted. Plus, intercepted emails cannot be read unless the intended user verifies themselves.

Ultimately, AIP can’t stop your users from making a mistake, but it can support them and arm them with the tools to protect company data properly.

Azure Information Protection Protects Against Malicious Intent

For example, if one of your employees or third-party recipients wants to email a file to an unauthorised person, they won’t be able to do so. Plus, AIP has a great feature called Do Not Forward for GDPR compliant emails. When this option is used, the recipient must first be authenticated to even view the email, and this is all they can do. They can’t forward the email or print, or screenshot. This ensures the email is for their eyes only and that they cannot execute a data breach by forwarding onto non-approved users that would lead to GDPR violation.

Documents attached to these emails are also counted as DO NOT FORWARD and will have the same restrictions.

Azure Information Protection Activity

Not only does AIP limit who can view the data, but it also tracks how that data is being used. By doing so, it ensures that data is safe at all times and that GDPR compliance standards are met. Plus, if you suspect there’s a risk that the data could be used in a way that violates GDPR regulations, you can even revoke access to it.

There are a range of other uses for Azure Information Protection to help keep your company emails and files protected. If you need help learning the reigns or want to deploy Azure Information Protection Yourselves, get started today by clicking here.

Posted on

Technical GDPR Staff Training Essentials

technical GDPR staff training essentials feature image

One of the challenges of implementing GDPR for businesses is the technical GDPR staff training.

But, you need to be prepared.

Your organisation’s compliance depends on having informed and well-trained staff, and the larger your business, the more difficult and vital this becomes.

We’ve dealt with many GDPR staff training sessions approaching from the technical standpoint and often consult with organisations to ensure they are passing on their knowledge correctly.

As such, we’ve decided to put together this brief list of essentials for a technical GDPR staff training session to get you started.

Before Your GDPR Staff Training

Data protection should already be part of the company culture meaning that your staff aligns with a privacy-first approach.

In practice: Incorporating privacy and data protection to your core values ensures you adhere to the GDPR “data protection by design and default” guideline – this means that your default settings should be privacy friendly, and all processes and operations, from sending GDPR Compliant emails to app development, include data protection measures at their core.

What To Include in GDPR Training Sessions

A well-rounded GDPR training should start with the basics and work towards the technical aspects of GDPR compliance like new policies and frameworks that you’ve adopted as an organisation. Key points to include are:

1. Consent

GDPR is all about consent, and ‘legitimate interest’ cases when contacting others and this needs to be thoroughly understood and explained.

If not, any one of your employees could contact someone without permission and it could lead to a complaint to the ICO and fines. This is one of the most misunderstood points of GDPR currently, particularly for marketers and businesses that thrive from reaching out to potential customers. You and your staff need to understand where the line is, and how not to cross it. 

2. The Risk of Non-Compliance

Your staff should learn about all the principles of data protection and be aware of the financial risk of not being compliant, how it hurts reputation, and what disciplinary measures the business (and they) can face. When they can connect the risks and arguments on why GDPR is necessary, they will understand just how important it is.

3. Understanding Your Business’ Role

Ensure your employees understand where your business stands. Participants should learn the difference between data processors and collectors, which category the business falls into, and the category of any other third party they conduct data-related business with.

4. Knowing Regulations & Regulatory Bodies

For example, your staff should know the role of the ICO and relevancy of the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.

5. Being Specific To Your Business

There’s no point in explaining the rationale behind GDPR and the fines without some context. Your employees need specific guidelines about data-related operations and processes they do daily.

For example, your GDPR email training might be highly technical, so make sure that everyone understands how new regulations affect their daily email communication and work in general, with a focus on how it makes it better.

6. New Company Policies

Your business’ policies should be at the core of the staff training. Ultimately, you’re the ones to police your own staff and if it is enforced companywide, it’s more likely to be adopted (and stuck to.)

Every department should be aware of new company policies that ensure GDPR compliance and how they affect them – from developers working on a new app to the sales team dealing with customer data, to marketing staff sending out emails.

7. How To Spot Data Breaches

The staff should also learn how to recognise red flags – because a data breach has to be reported to ICO within 72 hours, knowing to spot one is crucial. They should also learn the correct procedure in case of a data breach, such as who to report it to in the company and whether additional measures are needed.

8. SAR Requests

Under GDPR, a company has to respect a subject access request – request for data. SAR requests need to be handled within 24 hours of being received, so having a policy in place and making sure your staff knows the correct way to respond to it is key, because the public and customers don’t always send requests to the right location straight away. 

The Technical Side of GDPR Staff Training

Implementation of new technologies and software solutions that ensure data safety is the next logical step for GDPR compliance. But this can be difficult to implement itself. 

This means that you and your staff will have to learn about new encryption technologies and software you decide to integrate into your business operations.

Article 32 of GDPR states that this can be achieved through:

  • Pseudonymisation and encryption of personal data
  • Ensuring your processing systems and services are confidential and resilient
  • Being able to restore access to personal data quickly if there was a physical or technical issue that prevented access
  • Regular testing and evaluation of technical and organisational measures that were implemented to ensure data security

For example, your email communications should be secured through solutions like Azure Information Protection – which provides email and file encryption that protects data in such a way that it’s secure no matter where it goes. Deploying systems like Azure Information Protection across your organisation can be tricky if you don’t know what you’re doing, but training your staff to use AIP should be easy – from GDPR email training to sharing documents securely – to ensure the highest security and your ‘best effort’ towards GDPR.

Continuous GDPR Training Ensures Compliance

The last point to note is that reminders and refreshers are the way to really reiterate the importance of GDPR to your business, to staff. 

Hold refresher sessions after the initial GDPR staff training on a regular basis. Data protection should be ingrained into every single business process. Make sure new members understand this too – make GDPR training an integral part of the onboarding process and make sure it becomes part of your company culture.   

If you need help with implementing Azures Information Protection in your small business, check out our fully comprehensive and supported course here:

https://towerwatchacademy.thinkific.com/courses/get-file-and-email-encryption-for-small-businesses-microsoft-aip-course
Posted on

How to Install Microsoft’s Azure Information Protection for Small Businesses

Until now, Microsoft’s Azure Information Protection (AIP) has been an enterprise level IT solution for the big brands and businesses. So, you may not have even heard of it! But, its tools are perfect for small businesses and allows you to get AUTOMATIC file and email encryption that is easy to use, and affordable.

Let’s look at why you should be looking at this solution for your small business, how you can use it and what it can do for you:

Why do I Need File Protection?

We could advocate for file protection but it’s easier just to show you, here’s how easy it is to gain access to your sensitive data if you don’t have file protection:

The solution to this? We recommend, Microsoft’s Azure Information Protection (AIP)

Update: 23/09/20 – Microsoft’s AIP has actually been upgraded to MIP, with a few extra features. This article is still relevant and if you scroll to the bottom you can see a demo of a recent project we just completed on how it looks in action.

What is Microsoft’s Azure Information Protection?

It’s an excellent cloud-based file and email encryption solution that allows you to create certain ‘rules’ to protect your files and emails automatically.

What Does This Entail?

Although it’s also an excellent option for smaller businesses because it offers unique cyber security features which make GDPR compliance easy and seamless, you can’t really “figure it out” as you go.

It’s not as simple as downloading a piece of software. There’s a little more to it than that. But, once you know how, it’s our recommendation for keeping your company, files and emails protected. The installation looks a little like this:

Different Stages of AIP Implementation

Once you’ve set up your active directory and assigned your licenses, there are 3 steps to implementing Microsoft’s Azure Information Protection:

Assessing Your Data

Although only roughly 5% of your data is sensitive, you still need to protect it and in order to do so, you need to understand what it is, where it is and how you handle it.

Installation

This is the easy part (if you know what you’re doing) and is a simple installation of the AIP client onto all of the machines/servers that you want to have automatic encryption capabilities.

Monitoring/Testing

This is all about tweaking your settings to match your usage based on what you’re using your protection for in your business.

So, How Can I Do It Myself?

We originally created an AIP course (you can still take the legacy course HERE.) However since the update to MIP (Microsoft Information Protection) there’s a lot more backend setup, licensing crossovers, and implementation that just make this a project that is really tricky.

If you get it wrong you can accidentally encrypt and lock yourself out of all of your data, and to be honest, we don’t recommend doing this.

We still want to make MIP accessible for SMEs so we offer a half hour consulting option to give you the best tailored advice on what forms of protection are best for you, and then we can help you set up MIP if it’s suitable.

Book in for your consultation CLICK HERE.

Check out the MIP Demo below to see it in action:

Posted on

How “At Risk” Small Businesses REALLY Are to Cyber Attacks

busy coffee shop as a small business

Running a small business comes with a very specific set of challenges, like having limited resources, and often cyber security falls to the bottom of the list. But, the cost of a data breach, no matter the size of your organisation can be huge and the bad PR or image alone could be crippling as small businesses have to rely on reputation! 

Why Would Anyone Target Small Businesses?

Many small business owners don’t understand why their company would be an appealing target for hackers. They are small, don’t have vast funds or sensitive secrets that anyone would care about. They believe they are not big enough to be a target, so they don’t invest as heavily in cyber security as larger businesses do.

Some hackers do not target small businesses specifically but try to infect as many devices as possible, and without protective measures, backups in place, or the education, small businesses can very quickly become victims too.

The most common type of tactic that casts a wide net are ransomware attacks and more recently, cyber-attacks are becoming more targeted and specific.

The top 3 reasons why small businesses are targeted specifically by hackers are:

  1. The lack of investment into security makes it too easy for those looking to make quick money by selling details. 
  2. Small businesses often work with larger enterprises and if they’re not careful can serve as a point of entry for a large data breach.
  3. A small business is more likely to meet the hacker’s demands, such as a ransom, to get their data back because without it, their business is at a standstill. 

Cyber-attacks against Small Businesses are on the Rise

According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, attacks against small and medium business owners are on the rise. A staggering 61% of small businesses that were interviewed reported they were affected by a cyber-attack. The most common type of attack included phishing or social engineering, with web-based attacks and general malware following closely behind.

What Small Businesses Should do to be Safe from Cyber Crime

Change of stance is the most crucial thing.

If small business owners continue to believe they are not a good target to hackers and believe they don’t matter, they will continue to be vulnerable to cyber attacks. Small businesses should focus on the following areas:

  • New Technology and Software – Investing in the newest software solutions can give small businesses the edge that they need to catch breach attempts early. Machine learning can detect anomalies in network traffic or credit card fraud attempts so that small businesses don’t have to pay as much attention. 
  • Employee Education – Teaching employees about cyber security lowers the risk considerably. Get them on board about it and teach them about password policies, what makes a strong password, why password sharing is risky, and signs that indicate a possible breach. Check out the TowerWatch Academy for regular courses that you might need for educating staff and using protection software. 
  • Regular Updates and Patching – Ensure all your systems are up to date and patched regularly. New patches are applied to parts of code that could have been used as points of entry before the patch which is why you should always keep up to date. 
  • Use Encryption – Encryption is a precaution in case a data breach happens. If hackers get to your data, having it encrypted will render it useless to them. 
  • Physical Security – Have surveillance in place in areas where you keep your sensitive data to avoid malicious actions from the real world.
  • Two Factor Authentication – In case a cyber attack is successful in getting credentials to log in to your system(s), a two-factor authentication will stop them from getting further than trying to log in and will immediately alert you so you can lock it down and change your passwords. 

If you need any help or support protecting yourself as a small business from cyber security attacks, join our free Facebook community for IT support for your small business.

Posted on

GDPR Email Terminology You Need to Know!

When it comes to GDPR and emails things can get confusing! You need to make sure you completely understand the GDPR email terminology potential users/customers/businesses could be using so you can action accordingly.

Although not an exhaustive list, here are some of the terms that will be most useful to understand. We’ve taken this list from our Free GDPR Email Protection Course you can find here.

Consent – This means permission! GDPR’s aim is to allow users more control over their data and is big on consent which means if you don’t have it, you can’t use it. Now there are some situations where direct consent isn’t needed, for example if someone makes a purchase from you, you’re allowed to send them a relevant email about their order without their consent as it’s a necessary byproduct of the purchase. Another example is when a company or business has a business specific email address on their “Contact Us” page. This is considered consent as long as the email is a business and not personal address e.g. [email protected] NOT [email protected]. One thing to note here is you still can’t add them to a mailing list but you can contact them with something of genuine interest.

Data Breach – This is where information has been accessed by unauthorised third parties due to a security issue. This usually refers to confidential or sensitive information.

Data Controller – The ICO define a data controller as:

“A person who (either alone or jointly or in common with other persons) determines the
purposes for which and the manner in which any personal data are, or are to be processed”

Data Portability – This is the right of the user to move personal data to competitors and businesses have to comply. It must be readable and universally accepted by the other party and once moved, the original business may not store it (unless for legal/tax purposes.)

Data Processor – The ICO define a data processor as:

“In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.”

Data Processing – When information is handled, physically or digitally for any action. For example, collecting it, uploading it into an automatic algorithm, using it to segment etc.

Data Protection Authorities (DPA) – These will be appointed in individual EU-based countries to enforce and support the new data protection laws.

Data Protection Officer (DPO) – Data controllers will appoint an employee (or sometimes hire externally) a DPO whose responsibility is to make sure data protection and processing is met and understood throughout the organisation.

Data Subject – This is any person that the personal data is about.

Erasure – When an individual makes an erasure request, this means to have all of their personal data removed from your organisation (and third party organisations you use to manage this personal data) Not complying with this can leave you open to fines.

Encryption – A way of making information protected to prevent unauthorised entities or people being able to access, read or extract the data.

Pseudonymisation – A way to make personal data less identifiable to an outside party by using pseudonyms and preset identifiers in place of the data itself.

Recipient – The receiver of your email

Subject Access Request (SAR) – Contrary to popular belief, this isn’t actually new. A SAR request is something a user can do via email which entitles them to ask what information is stored about them. You may find the “Subject Access Code of Practice” by the ICO useful. Also known as a “Right to Access Request”

For more information on email protection in the age of GDPR, check out our FREE COURSE HERE to guide you through it!

Posted on

How to Send Encrypted Emails Without Installing Anything

If you want to protect the personal data that you send and reduce the risk of a breach, you’ll want to encrypt your emails or use an email encryption service! Did you know that you can send encrypted emails without installing anything?

Why would you want to send encrypted emails? 

You may think that encrypted emails don’t apply to you or they are a bit too “techy” to use. But, we’re making it simpler because hackers don’t care whether you’re techy or not. There are some other instances where you might want to send encrypted emails (for industries prone to email breaches check out our other article here.)

  1. If you’re a business owner or entrepreneur communicating about employee/subcontractor personal data, sharing sensitive information or ideas and secrets you want to protect.
  2. You’re sending attachments that contain personal information, e.g. recruiters sending CVs, accountants handling account data, members of the public sending copies of ID or official documents.
  3. Lawyers sending case-specific information
  4. Developers trying to create encrypted messages from their web portal

But, there are a few issues with the solutions that are out there at the moment: 

  • They require you to use a different email client entirely (and sometimes they aren’t user-friendly for beginners)
  • The other person (recipient) can’t read the encrypted email if they aren’t on the same service
  • You need to install an extension, app or program onto your computer (which many businesses won’t allow as it is directly on the network) in order to use them at all

How do you send encrypted emails without installing anything?

This is something we’ve developed. Encrypted emails as a service and it’s really simple. Anyone can use it (whether you’re techy or not). Simply:

  1. Write your email as normal
  2. Put “[email protected]” in the “To” field
  3. Add your recipient in the “subject” field
  4. Hit send

Test it right now: 

  1. Write your email as normal
  2. Put “[email protected]” in the “To” field
  3. Add your recipient in the “subject” field
  4. Click Send

It works on mobile, MAC or PC as well as any existing platform you’re on. Here’s what the process looks like from a MAC:

What the receiver will see (and do) to read the encrypted email:

In Gmail

In Outlook

If you want to protect your emails and your data for free, check out My Protected Mail for more!

Posted on

Are Recruiters Liable for Data Breaches When Sending CVs Via Email?

The ongoing joke of the moment is the amount of unsolicited emails you’re receiving as a result of GDPR, “consent” and the regulations that became effective as of 25th May 2018. But, the new General Data Protection Regulation (GDPR) is a piece of EU legislation that has thrown forward infinite questions about specific processes, particularly those in the recruitment industry. Among these questions is: Are recruiters liable for data breaches when sending CVs via email?

After all, they hold a ton of personally identifiable information (PII) in the form of CVs, application forms and the submissions through their website. But, how much of this are recruiters responsible for and if you’re communicating via email, are you responsible for this data if there is a breach, even when you’ve gotten consent?

We’re looking at the facts from the ICO as well as our take on protecting PII sent via email to limit your chances of a breach.

Liability under GDPR

In short, recruiters are liable for any data breaches resulting from the sending of CVs via email, but to understand why, we must delve a little deeper.

Under GDPR, the data controller holds ultimate responsibility for all personal information collected by their organisation. The data controller must be highly trained to pre-empt and effectively address any potential breaches and it is down to the controller to ensure that the all held data is collected, processed, and stored properly.

The data controller is ultimately responsible for their organisation, but all individuals within it must act in compliance with GDPR. Under this legislation, anyone handling personal data is referred to as a data processor. A data processor acts on behalf of the data controller, and must adhere to the rules of GDPR.

In this instance, recruiters are the data processors when they are working with sensitive data, such as that contained within CVs.

Liability for Recruiters

Recruiters, as data processors, have accountability over the information they collect, handle, and send elsewhere. This includes CVs.

They need to ensure that the CVs and the data within them are:

#1 Sent only to the intended recipients

#2 Are used solely for a specific purpose

#3 Are removed correctly when no longer required.

A recruiter must know exactly where the CV is going and how it is being used by the recipient. This is because, under the rules of GDPR, any EU citizen has the right to erasure, otherwise known as the right to be forgotten. If such a request is received, the recruiter (and their organisation’s data controller) are duty bound to honour and complete the request.

But, if they aren’t keeping records or control of the transmissions of personal data they send, this task becomes more difficult, if not, impossible.

In order to protect themselves and their organisations, recruiters are likely to be encouraged to seek a disclaimer with each individual before they receive any of their personal data. The language of the disclaimer will vary between each organisation, but most will contain an acknowledgment that the individual will surrender some control of their data whilst it is being processed.

Note that whilst individuals may give their consent to allow the data processor and data controller access and processing of their personal information, they are still protected by GDPR and retain custodianship of their own data, including the right of erasure.

Tools such as Data Subject Access Requests (DSARs) provide individuals with the authority to obtain all of the data held about them by another individual or organisation. These are commonly used during employment-related disputes.

Whilst UK legislation dictates that any DSAR is fulfilled within 40 days of receipt, GDPR goes further. If a DSAR is not honoured, it could incur a fine of up to 4% of an organisation’s annual global turnover, or a fine of €20 million, whichever is greater. Although the maximum is unlikely to be enforced, except in extreme cases, the potential severity of punishment in response to breaches clearly demonstrates the importance placed on the rights of individuals to retain authority over their data. Plus, that’s not the only cost a business can incur in the event of a data breach.

What steps can recruiters take to protect themselves from GDPR-related penalties?

Now that we’ve explored GDPR legislation and potential penalties that can be incurred as a result of non-compliance, we’ll take a look at five steps recruiters specifically can take to prevent a breach and protect themselves.

  1. Encrypt emails and Attachments

In order to avert unauthorised access to CVs and other personal data, a simple and effective solution is to encrypt emails and attachments. Encryption prevents data from being intercepted with malicious intent, and it ensures that only the intended recipient has access.

Encryption is easily managed through settings within some existing email client, or via third-party specialist services such as My Protected Mail. For large organisations, or smaller companies that routinely deal with a bulk of highly-sensitive data, the third-party approach is encouraged.

It is also worthwhile to ensure that all data processors (and controllers) are trained in the optimal use of encryption. After all, there’s no point in having a tool if it is not being used correctly.

  1. Only send CVs to the intended recipient (and prevent forwarding)

When sending a CV by email, recruiters should select only the essential recipients. If the CV is not directly relevant to a recipient, it should not be sent to them. By keeping the pool of recipients as small as possible, it helps to prevent potential breaches.

It’s also worth clarifying, within the body of the email, that the CV should not be forwarded to any other recipient without the permission of the recruiter. Forwarding of attachments, particularly without the knowledge of the original sender, makes it almost impossible to track where the data has gone. Keep in mind that the individual to whom the CV belongs may make a right to erasure request at any time. Failure to keep track of their data can jeopardise an organisation’s ability to do this.

  1. Provide extra information in your disclaimer

Make it clear to candidates, and all other individuals, precisely how their data will be collected, processed, and removed. Transparency at this stage helps to prevent issues further down the line. Use your disclaimer to present all possible scenarios, and ensure that consent is obtained before a CV is collected.

  1. Keep sensitive data secure within internal systems

We’ve discussed the procedure for sending CVs to external recipients, but what about internal record-keeping? This is equally critical, and organisations must ensure that their internal systems are secure enough to manage and protect stored data.

  1. Ensure that third parties are also compliant

Before a recruiter sends any information to a third party, it is worthwhile to sign an agreement regarding their respective data responsibilities. An organisation must ensure that all third parties are also compliant with GDPR, and will honour any future erasure or DSAR requests. This helps to prevent any potential problems in the future.

In Summary

As we have seen, recruiters and their organisations do have a responsibility to protect all data sent electronically. Recruiters are liable for data breaches since as data processors, they act on behalf of their organisation’s data controller, and are bound by the rules of GDPR.

It is crucial, therefore, that they are trained and equipped with the resources to keep client data safe.