When GDPR is enforced in May 2018 there will be new requirements for employers for secure management of personal information internally. This means the end of internal email. Learn more about why you should stop with email and what a simple and cost-effective solution looks like.
What is GDPR?
GDPR is the European Union’s new data protection act. It will be enforced on May 25, 2018, and applies to all businesses that manage personal information on EU-citizens, e.g. the employees of a German company. The aim of the new legislation is to provide EU citizens greater control and influence on their personal data and how they are handled by businesses and employers.
EU means business with the new legislation and will carry out follow-ups and revisions. The fine for failure to comply is no laughing matter (up to 20 M EUR or 4% of the turnover, depending of what is highest).
An important aspect in GDPR is that personal data must be treated in a secure manner.
What does personal data mean?
In GDPR, personal data can be many things, from name, address, place, online-ID, health information, income, etc.
Examples of scenarios where personal data may occur naturally within internal communication:
- Management follow-ups (material for salary reviews, recruitment material, CV:s, etc)
- HR-discussions about personnel (individual support, etc)
- Economic management (salary specifications, etc)
Note that according to GDPR, it’s especially important to provide extra safeguards for sensitive personal data. Examples of sensitive personal data can be personal data about an employee’s private life and health, e.g. matters that can be discussed between an employee and his or her boss or HR person.
Implementing extra safeguards for sensitive personal data, requires both the right tools and a communication policy.
What does secure management of personal data mean?
An important aspect of GDPR is that businesses and employers must treat personal data in a secure manner. But what does that really mean? When talking about security, the term encryption usually comes in. Encryption is a way to scramble e.g. a text so that only the person with the key can decrypt the text and read it. When it comes to information managed in the cloud, there are several encryption solutions:
- Encryption in transit. This means that a text sent e.g. between a client and a server is encrypted during the transportation phase, on its way from A to B over the internet.
- Encryption at rest. This means that a text is encrypted when stored, e.g. on a server at a cloud service provider.
- Encryption end-to-end. End-to-end encryption is the gold standard within security. If a message is end-to-end encrypted, only the sender and the receiver can decrypt the message, and it’s never decrypted during transit or in storage.
Note the difference between a combination of encryption in transit and at rest, with pure end-to-end encryption. In the first case, the message will be decrypted after transport and then encrypted again for storage and managed by the company that own the storage. This company has access to the keys. Should this company suffer a successful attack the stored data may be leaked, something which is not possible with pure end-to-end encryption.
End-to-end-encryption is the recommended technique for communication involving sensitive personal data.
The end of internal email
So, what about email, this tool that everyone loves to hate? Is it safe to send sensitive personal data, e.g. as text in email or as attachments? The answer is NO! It is simply not secure to use email. With standard email all text and attachments are sent in clear text over the internet and is relatively easily accessible to hackers and other malevolent technical people.
An attack could mean that sensitive personal data about a corporation’s employees, contained in email communication, is leaked and published on the internet. The damage may be catastrophic for both corporation and employees and with the introduction of GDPR there is also the threat of multi million fines.
Now when email is no longer a valid solution for communication of sensitive personal data, a secure alternative for internal corporate communication is needed. Such alternatives were previously lacking at a reasonable cost. Both corporations and the EU therefore used to disregard this problem.
When GDPR is introduced, email may no longer be used for management of sensitive personal data.
End-to-end encryption for secure management of sensitive personal data
Corporate chat is a solution on the rise. Corporate chat also has the advantage that sent messages and files can be easily edited and removed.
With corporate chat, communication takes place in so called chat channels. A channel can be public, private, or 1-on-1. A channel has a name that describes the theme for matters to be discussed in the channel. This means that information and discussions end up in the right place, compared to email where everything, no matter what topic, ends up at the top of the receiver’s INBOX.
Briteback is a Swedish corporate chat app, containing everything a large corporation needs in terms of communication. Briteback also has end-to-end encryption of chat channels, which is extremely well suited for exchange of sensitive personal data and other kinds of sensitive information. The end-to-end encryption has been developed by Briteback and Saab Security, together with the spin-off company Hyker Security, which stands as guarantee for the security. The encryption solution is called RIKS, and is described here.
In order for corporate chat with end-to-end encryption to be a real solution for the management of sensitive personal data, an established communication policy is also needed.
The importance of a communication policy
With older and unstructured tools, such as email, it has previously been impossible to establish a policy for internal communication. With corporate chat, this has now become a real possibility. But what does a communication policy really mean?
”A communication policy is an established agreement on how to communicate in specific situations.”
It is very important that a communication policy is established and thereby well anchored with senior management as well as HR. The policy must bring up especially important situations and clarify how communication shall be handled in these contexts. For the policy to last and evolve there must also be a role and person responsible for the policy.
As for managing communication with sensitive personal data and similar information, we recommend the following policy:
In the dialogue between an employee and a boss, the boss is responsible for making sure that discussion and communication around personal data is carried out in encrypted chat channels. In this way a satisfactory level of security can be guaranteed. The policy should establish a naming convention for the dedicated encrypted chat channels.
- Discussion is going on between an employee and boss, and touches upon sensitive personal data
- The boss realizes that the discussion is related to sensitiv personal data
- The boss creates a new encrypted chat channel dedicated to the topic
- The boss invites the employee to the created channel
- The discussion is moved to the channel and continues there
In a dialogue between and employee and an HR-person, the HR-person has the same responsibility as the boss in the example above.
It is reasonable that the HR-manager is responsible for establishing, spreading and applying the communication policy. The CIO is responsible for introducing and managing the corporate chat solution.
GDPR-secure your internal communication with an end-to-end encrypted corporate chat, with a related communication policy.
See the following material for further information about GDPR:
- Protection of Personal Data – European Union.
- EU Legislation – Data Protection – European Union.
- Questions and Answers – Data protection reform – European Union.