Everything about the GDPR

On this page, you will find a collection of articles that will help you understand the GDPR legislation in the European Union. Additionally, it debunks some myths, highlights what matters to achieve GDPR compliance, and provides information on how to swiftly deal with any violations.

Table of Contents

01

The General Data Protection Regulation (GDPR) in a nutshell

02

The three most important things to take care of to become GDPR compliant

03

Five reasons why data leaking via 'regular' email is nearly inevitable

04

How do you quickly prevent a GDPR fine?

05

What type of 2FA should you use under the GDPR?

06

Reporting a data leak: which steps do you take?

07

Secure email solution by ZIVVER

Introduction

Alles_over_de_GDPR_ZIVVER_NL_blog-1

The GDPR is the world’s most elaborate set of rules for the possession, storage, distribution, and protection of personal data. Before, companies could take advantage of such data without having explicit permission to use it. The GDPR was introduced to put a stop to this, to establish the definitions and processes regarding the universal human right of privacy, and to hold organizations accountable when they break these laws.  

01

The General Data Protection Regulation (GDPR) in a nutshell

Read this section for a general idea of what the GDPR is all about.

rick_closeup

Rick Goud

CEO

ZIVVER_safe-mailing_app

 

The GDPR is designed to allow individuals to control their private data more effectively. These updated regulations also enable companies to make the most of the opportunities of digital markets by improving the public trust and harmonizing data protection standards across Europe. The regulation came into force on 25th May 2018.

 

What is the GDPR? In simple terms, it:

  • Applies to personal data - any data that relates to or can be used to identify a person in any way
  • Controls what can be done with personal information
  • Requires that consent is given or there is a good reason to process or store personal information
  • Gives a person a right to know what information is held about them
  • Allows a person to request information about them is erased and that they are ‘forgotten’ - unless there is a reason not to do this  - e.g., a loan account
  • Makes sure that personal information is appropriately protected. New systems must have protection designed into them (Privacy by Design). Access to data is strictly controlled and only given when required (Privacy by Default)
  • If data is lost, stolen, or is accessed without authorization, the authorities must be notified. Possibly the individuals whose information has been accessed may need to be notified as well
  • Data cannot be used for anything other than the reason given at the time of collection
  • Data is securely deleted after it is no longer needed
  • Allows national authorities to impose fines on companies breaching the regulation. These fines can be up to €20 million or 4% of the business's global turnover  -whichever is higher

Since 25 May 2018, the New Privacy Act, the GDPR, has been in effect. Over 59,000 personal data breaches were reported across Europe since the introduction of GDPR, according to DLA Piper survey. This shows that people are aware of their rights and expect companies to handle their personal data appropriately. However, there still are many misconceptions regarding the GDPR among entrepreneurs. Therefore, we’ve listed the three most common misconceptions, followed by a privacy check to see if your company fulfills the GDPR requirements.

 

Misconception #1: The GDPR does not apply to me

A major misconception is that the GDPR only applies to larger companies that work with a lot of data, but nothing could be further from the truth. The GDPR is a European law that applies to all companies, associations, and foundations that process personal data. It applies to both large multinationals such as Shell and Unilever and SME entrepreneurs and freelancers - and everything in between. That means (small) entrepreneurs are also obliged to comply with the GDPR and as such, bound to take measures. Regardless, of the size or nature of a business, when it comes to the GDPR, no one is above the law.

 

Misconception #2: But I don’t process any personal data at all

Personal data come in a variety of types. The most obvious personal data are a person's name, address, place of residence, telephone number, date of birth, place of birth, and email address. However, what does it mean exactly, ‘to process’? Processing is all actions that an organization can carry out with personal data, from collection to destruction. This is, of course, a broad definition. Let's make things more concrete and use the deli on the corner as an example. This SME entrepreneur also ‘processes' personal data on a small scale. That’s because the website of the shop has a contact form and they occasionally send an email to customers or an invoice to companies. Every now and then, they post a photo on Facebook with a happy customer. It might not seem apparent, but small entrepreneurs and self-employed people also process personal data more often than they think.

 

Misconception #3: I already have a privacy policy, so I don’t have to make arrangements

You are required by law to be transparent towards your customers about how you treat personal data. Customers are usually informed about this via a privacy policy. However, there’s more to be done than just drafting a policy. You have to do everything that you describe or promise in this document, so make sure to adjust your policy and management to this. The GDPR also requires you to keep a processing register and a data leak register. If you use cookies on your website, you need to have a cookie statement. In short, there’s a lot to be done.

Additionally, meeting the requirements of the GDPR isn’t a one-off action. The privacy management within your company must be in order and remain that way. The GDPR is not a hype that will blow over. Instead, privacy will become more important as time progresses.

Does your organization already meet all the requirements of the GDPR? Are you not sure whether you have arranged everything properly, legally speaking? The checklist below will help you find out. 

 

Download our GDPR checklist

02

The three most important things to take care of to become GDPR compliant

Becoming GDPR compliant can be overwhelming. In this section, we describe the three primary actions to take before anything else.

rick_closeup

Rick Goud

CEO

ZIVVER_safe-mailing_app

 

The General Data Protection Regulation (GDPR) is a European law that, on the one hand, protects the privacy of European citizens and on the other creates awareness in the processing of personal data.

Although one of the main purposes of the GDPR is to harmonize data protection laws across the EU, there are a number of areas in which the GDPR (the so-called opening clauses) that give Member States the opportunity to introduce their own national data protection laws, and further specify the application of the GDPR. The UK with the Data Protection Act 2018 (DPA2018) and Germany with the Bundesdatenschutzgesetz (BDSG) have been the first among the European countries to implement such provisions to supplement the GDPR.

The number of administrative tasks that arise from the GDPR is high, your organization is still resisting, and you want to have everything done as soon as possible. After all, business operations should have been GDPR compliant since 25 May 2018.

The following information describes the first three steps any wise CISO or DPO should take immediately.

 

GDPR is about awareness

The legislation requires that organizations think about the processing (collecting, processing, and storing) of personal data. Whether this is about the data of clients, leads, or employees, it makes no difference. In each of these cases, personal data is involved.

The GDPR greatly values the limitation of the amount of personal data and the mapping of risks. Other important themes are the measures to prevent data leaks, proving that these measures are effective, and the limitation of damage(s). Incorrect actions and concealing incidents can lead to severe penalties. 

A data leak is when sensitive personal data turns out somewhere it does not belong. In most cases, data leaks are the consequence of unintentional human error by employees. This can be the result of sending a dossier sent to an incorrect email address or sharing sensitive information via a public service, for example. The lack of a proper privacy policy facilitates these data leaks, with severe consequences.

“The GDPR’s purpose is to create awareness of how to deal with personal data securely. This purpose also becomes evident from the fact that the legislation imposes higher fines for failing to report a data leak, than for the actual data leak itself.” - Erick van Veghel, CISO.

 

How do you get started?

Start with composing the right team. Organizations these days usually save their data digitally. Different systems and applications share these data between them. It is recommended that a team is formed to set up and monitor GDPR related activities. In an ideal situation, the core team consists of a legal expert, a privacy expert, and an IT expert. Together, they can involve the responsible managers and specialists per department.

 

1. Develop an understanding

Lawyers specialized in the GDPR advise starting mapping the current data streams. Because these can be numerous, it is best to start with the most important or the most sensitive data streams. Questions you should ask are:

  • What data is gathered where?
  • Where and how is this data stored?
  • Who receives or has access to this data?

A comprehensive overview of these processes will help you gain insight into your organization’s infrastructure and systems.

 

2. Determine the impact on your organization

As soon as you have mapped the data streams, you will compare them to the GDPR using gap analysis. This means looking at the current situation and compare it to the desired one. What follows is a series of measures that are required to fill the (analyzed) gaps. In some cases, you can update already existing policies. In others, you will have to draft new rules. It is wise, although not always mandatory, to do so based on a register.

 

Keep a record of data processing

If you work in an organization with 250 employees or more, you are required to keep an internal log in which you describe all processing of personal data. Organizations with less than 250 employees only have to keep such a record if: 

  • Risky processing takes place, such as automatic profiling for targeted marketing or an automated alteration to a health insurance plan
  • An organization processing sensitive personal data, such as medical data
  • An organization that processes vast amounts of data

If you draft the record of data processing according to the guidelines, you instantly meet the recording obligation of the GDPR. No fixed format has been formulated for the record, so you can decide for yourself whether to keep it in a spreadsheet or specialized software, for example. The contents of the document, however, are bound by rules. Our GDPR-compliance checklist explains this in more detail. Obviously, the information in the register has to be up to date and complete.

 

3. Draft and maintain a policy

The record of data processing provides insight into processed personal data. It obliges you to at least think about which personal data you store, with what purpose, for how long, and how you secure them. This lays a foundation for drafting a policy or an additional plan. The GDPR legislation requires that privacy is taken very seriously and for organizations to consider which data to collect, store, and why. The principle of ‘data minimization’ applies here, meaning we only store the data we need, for a minimum storage time. This is the exact opposite of how organizations currently work, as they want to ‘store data for as long as possible because you never know when it might be useful.’ As a consequence of this mindset, many companies view privacy as a burden. This can be considered indicative of how we started to ‘over-collect’ personal data, to which the GDPR is the remedial measure.

Draft a transparent privacy policy, based on the record, for both clients (external) and employees (internal). When this is done, you make it available for all parties involved. The goal of this policy is to inform the involved parties beforehand about the personal data you collect and to make them aware of their rights. The document should at least contain the following information:

  • The identity and contact details of the party responsible for the data. In most cases, this will be your company. If a privacy officer has been appointed, their contact details have to be included as well
  • The purpose of the data processing and its legal basis
  • The recipients (third parties) of the data. If they are located outside of the European Economic Area (EEA): what additional security measures have been taken to make sure that transfer outside the EEA is allowed?
  • The storage time of personal data
  • Information about the rights of the involved parties, including:
  • The right of limitation, access, correction, and deletion of data
  • The right to data portability, such as being able to transport data from one organization to another
  • The possibility to revoke the consent for data processing, for example through an opt-out option in an email
  • The ability to make a complaint to the authorities
  • The ability to object against profiling

An internal privacy policy usually also includes guidelines for employees on how to go about and how to secure (sensitive) personal data in an organization. In most cases, the internal privacy policy is included in the employee manual, which is part of the employment contract, so that employees can quickly consult it.

To make sure that employees comply with the rules of the privacy policy, the privacy rules must become ‘alive’ for them. In other words, it has to become part of their everyday practice — for example, a repeated (practice-oriented) training for all employees, not just the managers. If your employees become aware of the possible privacy risks in their practice and combine this with approachable, user-friendly tools to significantly reduce the risk of an incident, you have taken several big leaps towards a GDPR-compliant organization.

Now that you have a better idea of the task at hand, it's time to take action. Our checklist contains the exact steps you have to take towards GDPR compliance.

 

Download our GDPR checklist

Download this page as a PDF: Everything about the GDPR

03

Five reasons why data leaking via 'regular' email is nearly inevitable

Do you think your 'regular' email service is safe? Think again! Read on to find out why.

rick_closeup

Rick Goud

CEO

ZIVVER_safe-mailing_app

 

Email is one of the most, if not the most, used communication method between organizations, employees, partners, and clients. At the same time, it is one of the most prone to errors. Why is it that data leaks via email occur so often? Find out the five most significant causes below.

 

1. Email is not well secured by default

Many organizations do not secure their emails by default, meaning all email circulates unencrypted. As a result, anyone who receives the email can read it. Even if they were not supposed to get the email.

Attachments usually are not secured, either. This is striking because Excel, Word, and PDF files can easily be secured with a password. Additionally, users should not send passwords to their recipients via email, but through, for example, SMS. This action alone would significantly improve security. In practice, however, this rarely happens, likely because it costs extra time.

 

2. Email cannot be traced

Imagine the following: you want to send an email to your colleague named ‘Jackson.’ After you have hit ‘send,’ you suddenly realize that the email was sent to someone named ‘Jackson,’ but who works for a different organization. That is when the genie is let out of the bottle. No one can trace what happens to the data in the email. Will it be deleted without reading, or will it be forwarded to others?

In practice, this is a big problem. The moment you cannot say for sure who has seen the data is when you have lost control over the information. Revoking emails that were sent by mistake usually is not possible. Let alone the technical possibilities to gain insight into the data stream that has been set in motion.

 

3. Internal email receives less attention

A leak within your organization can also occur easily. Several employees discuss the legal dossier of a client. By accident, the entire organization is CC’ed.

In the case of internal email, the chance that sensitive information will end up out in the open is smaller. However, this is no criterium for the law. An email containing sensitive information has to be sent securely, even if it has not left the office.

 

4. Standard mailboxes can be easily hacked

If it can happen to the secretary of the US Democratic party, why would it not occur to you? If a mailbox is hacked, it is often the result of inadequate safety precautions. Dutch Minister Kamp’s was accessed through phishing. Sometimes, computer criminals gain access to an email account due to a weak password and a lack of 2FA. You do not want someone who gets illegitimate access to have access to all the information in the mailbox immediately.

Spoofing - There are other ways in which malicious people want to misuse email. Take, for example, spoofing. It is when an attacker copies the email address of an employee in your organization and sends emails from this address. A colleague from the finance department receives an invoice from someone of the Board of Directors, and of course, pays this in good conscience. In fact, this invoice was sent by a criminal, who is also the recipient of the money. With proper safety precautions, these attacks can be prevented.

 

5. Employees are not aware of the importance of secure email

The average employee receives dozens of emails per day. Emailing has become an automatic process. This means that employees treat trifling matters in almost the same way as communicating client data or a new purchase agreement. Employees are not aware that they should treat sensitive information differently from regular email. Nearly all email data leaks are a direct result of this. The inconvenient truth is that humans are the weakest link and the cause of almost all email leaks.

 

Technical tips to improve your email security:

  • Make sure the emails are well encrypted by default. This ensures that only you and your recipient can access the emails 
  • Make sure that only the intended recipients have access to the information
  • Use software that warns you when it seems the email will be sent to the wrong recipient
  • Offer the possibility to revoke a message when something goes wrong  

 

Ensure awareness regarding privacy and GDPR.

Awareness regarding privacy and GDPR covers the necessary organizational and technological measures needed to be taken for optimal information security. The reason these measures are critical is because the majority of data leaks occur because employees do not treat sensitive data in the right way. How do you tackle this? That answer and practical tips can be found in the ebook below.

 

Download our ebook about awareness

shutterstock_317833073

The EU General Data Protection Regulation - GDPR

04

How do you quickly prevent a GDPR fine?

Did you experience a data leak? Read further to learn how to diminish the threat of reputation and financial damage.

rick_closeup

Rick Goud

CEO

ZIVVER_safe-mailing_app

 

The General Data Protection Regulation (GDPR) provides considerable fines for organizations that are careless regarding personal data. What essential measures can you take right now to prevent such a penalty?

When the GDPR came into force, it caused quite a commotion in the business world. After all, it has imposed quite a large number of demands and obligations, with the threat of fines that could potentially bankrupt a business for noncompliance

We talked about this with Ans Duthler of Duthler Associates, a company that advises organizations on the GDPR, among other things. One of the first advice she gives her clients is to stop viewing the legislation as a bothersome obligation. That is because the GDPR mainly is a chance to structure your own data streams. This way, you can centralize the interests and privacy of your clients within your organization.

 

Appoint a quartermaster

The first important step to this approach, Duthler explains, is the appointing of the Data Protection Officer (DPO) or Chief Information Security Officer (CISO). As ‘quartermaster,’ they can supervise GDPR compliance. They can draw up and roll out the necessary road map. Smaller organizations can hire an external advisor by themselves or as a group, for example, a trade association. 

An essential theme in the GDPR is accountability. Organizations have to be able to show what personal data they store, and for what purpose. It requires an elaborate privacy record-keeping, in which all obligations given by the GDPR are recorded. A good starting point for this record keeping is a detailed baseline measurement of the current state of affairs.

 

Baseline measurement as a starting point

Only a few organizations know precisely what data they collect, store, and with whom they share it. Also, the organization has to prove they truly need to use this data. As such, the baseline measurements are likely to result in a large number of action points the quartermaster can instantly get to work with.

A baseline measurement is also an excellent starting point for the necessary raising of employee awareness (including all staff, even the board of directors!). They have to ask themselves critical questions with each new activity that involves personal data. To stimulate this awareness within the organization, the quartermaster can organize workshops or online seminars. They can also use supporting privacy tools.

 

Never 100% GDPR proof

These measures are, of course, also included in the privacy record keeping. Given the broad scope of the new GDPR legislation and the involvement of the human as an unpredictable factor, an organization that is 100% GDPR proof is a utopia. Duthler says that if an organization can show that it has worked hard on the legal obligations, the chances of a fine are significantly diminished.

In conclusion, the fear of a penalty is not the most important reason to embrace the new law. Privacy is an increasingly important topic for the law, organizations, partners, and clients. Organizations that can project that personal data are in safe hands, will be ahead of their competition. This way, the new law offers organizations a chance to distinguish themselves as reliable and customer-focused.

That is why you should get started right away with the baseline measurement. By doing so, action points become clear. Additionally, it's highly advisable to implement software to help you tackle these points as effectively as possible. Should something go wrong, you can instantly show the measures taken to prevent data leaks and possibly limit legislative consequences.

ZIVVER's GDPR checklist is a perfect starting point on the road of compliance. Download it below.

 

Download our GDPR checklist

05

What type of 2FA should you use under the GDPR?

Two-factor authentication (2-FA) is essential for email security. In this section, we will explain what 2-FA is and which method is best suited for GDPR compliance.

rick_closeup

Rick Goud

CEO

ZIVVER_safe-mailing_app

 

It happens every day: your work with a client has ended, and you need to transfer all the data. Of course, it has to be done securely, but how do you do this? The file contains, among other things, the client’s social security and therefore, sensitive personal data. Under the GDPR, such data must be secured accordingly. It is not secure if you send the file as an attachment to an email. After all, an error might be made, and the email could be sent to the wrong recipient, for example. The recipient could also easily forward the message to others, or leave their laptop unlocked. In all three scenarios, unauthorized persons have access to the file. If this happens, a data leak has taken place.

What is a secure manner of sharing sensitive data, then? In practice, this is not very clear. When is security adequate? Are the security measures to be taken dependent on the type of data you wish to transfer? These questions will likely be answered in future lawsuits, but you probably do not want to wait for that to happen.

 

Two-factor authentication

How does one securely send sensitive data? To achieve this, an organization has to use TLS, encryption, and two-factor authentication. This topic will explain several types of two-factor authentication. This type of authentication(2-FA) is a security measure that uses two factors to secure a computer system or to confirm the identity of a person. The thought behind it is that one factor is not enough.

When using 2FA, the security is more strongly guaranteed thanks to a combination of multiple factors, such as:

  • Something the user knows. It is usually a combination of a user name and a password or a PIN code.
  • Something the user has. For example, sending an SMS containing a verification code to the user’s phone, apps that generate a single-use code or password, hardware tokes, or a pass.
  • Something the user is. It entails security based on the biometric characteristics of the user. For example, facial recognition technology used in the latest smartphones, or a scan of the fingerprint or iris.

As you can see, multiple types of 2-FA are possible to secure data, such as a password and an SMS verification code, a password and a fingerprint, or a PIN code and a pass. It might be confusing and raises the question: which combination is best suited for which type of information?

 

What do government bodies say about 2-FA?

In addition to the legislation, there is a large amount of government body documentation on the security of personal data. In this documentation, the government offers more guidance about the use of 2-FA.

For example, in the Netherlands, the Dutch Data Protection Authority (AP) has imposed the use of 2-FA for patient portals in hospitals since 2016.

From this, it can be concluded that the AP wants medical files protected with 2-FA, which are considered sensitive personal data by the GDPR. The AP gives examples but does not clearly state what type of 2FA should be used. The Dutch National Cyber Security Center (NCSC) provides more clarity in the following statement:

‘The NCSC advises using two-factor authentication wherever possible, also called two-step verification. It consists of authentication utilizing two factors of different categories.

An example would be the use of a password and a single-use authentication code per SMS. Another possibility is a fingerprint scan and a password. In rare cases, a third factor is added.’

Based on the NCSC advice, using two passwords is not enough. The second securing layer has to be of a different category.

 

Conclusion

The statements above are clear, the cybersecurity community and Informations Security Authorities around the world highly recommend the use of 2-FA whenever possible. However, they don't go into detail, such as what type of 2-FA is best used or in what situations this can be applied best. It means organizations need an internal policy to clarify what types of 2-FA are best suitable. Not all data is as sensitive, but in the case of medical, financial, or legal files, it is clear that ‘adequate security measures’ have to be taken. It will be less critical in the case of an employee’s hour registration, for example. It is essential to determine the level of sensitivity of the different types of data and categorize them to decide what data has to be secured with 2-FA. It is not as hard to apply 2-FA to your own account, but how will you, as an organization, deal with the transfer of personal data to external parties? To return to the example at the start of this article; what is the policy regarding sending sensitive/private data to other organizations, or individuals? How do you find the 2-FA method that best suits the recipient? ZIVVER allows it's users to employ several 2-FA methods to accommodate different scenarios and recipients.

Note: to adequately secure your data in a GDPR-compliant manner; you need more than just two-factor authentication. Think, for example of TLS and encryption. For more information regarding this topic please download the whitepaper below.

 

Download whitepaper encryption and privacy by design

06

Reporting a data leak: which steps do you take?

One of the essential GDPR rules in the procedure of data leakage reporting, which we describe in this subtopic.

rick_closeup

Rick Goud

CEO

ZIVVER_safe-mailing_app

 

You, of course, hope never to need the information on this topic, since if you do, it is likely a data leak has occurred. Sadly, it is not a matter of whether, but when a data leak happens in your organization. It's highly advisable to be prepared. By following the steps below, you can be confident you have not missed anything when reporting a data leak.

 

It’s impossible to stop all data leaks.

Let us start by stating that data leaks are inevitable. Many of your employees work with data all day long. They are on the phone, on social media, print things, and sending dozens of emails a day. A data leak can occur very easily. If an employee leaves a printed document lying around, forgets to lock their computer screen, or sends information to the wrong recipient, you already have confidential information in the hands of unauthorized persons.

If this happens, should you report the data leak? If so, what information do you need to do this, and whom should you inform? In the following, we will describe five aspects that play a role in reporting a data leak under the GDPR.

 

Reporting a data leak

In the case of personal data leaks, the organization has to report it to their local Data Protection Authority (DPA). Before you can do this, you need to take the following steps.

 

1.      Make sure your employees know that they have to report a data leak

If it happens, you have to report the data leak. The first step is to report it the Chief Information Security Officer (or Data Protection Officer) of their own organization.

In practice, not all data leaks are reported. It can be due to several causes. It can be that the parties involved are unaware that they have caused a data leak. It is also possible that they fear for their position within the company if they report the data leak. Some employees take the risk of not reporting the data leak and hope that their mistake will never be discovered.

It could very well be the hardest step of the entire reporting process. Employees need to be aware of the importance of proper personal data protection. The culture and atmosphere within a company can be a reason for employees to stop data leak reporting. Therefore, even if the data leak happened due to negligence, it's essential that employees don't feel intimidated. Reporting a data leak should be simple, such as by using an internal form.

 

2.      Gather information about the data leak

Only when you know what has happened, can the CISO decide whether the data leak has to be reported with the local Data Protection Authority. You will at least need the following information:

What exactly happened?

To determine whether this has been a security incident or a data leak, you have to know exactly what happened and when it happened. If you are sure that illegitimate processing of the data has taken place, it is a data leak. Otherwise, it is a security incident.

For example:

One of your employees unintentionally sends an email containing figures of a client to a journalist they sometimes work with. The journalist instantly realizes this and deletes the email without looking at the data. In this case, there has been a security incident, but you can prove that no illegitimate processing of the data has taken place.

What type of data is it about?

It is essential to know what type of data is concerned. Is it about sensitive personal data or data that can have negative consequences in any other way on the protection of personal data? If a social security number is accidentally made public, this can have severe consequences for your client, such as identity theft. You need this information to determine the implications of the loss of specific data.

 

3.      Determine whether the data leak has to be reported and limit the damages

Based on the information above, you can determine whether the data leak has to be reported. You can use the following question to do so:

Was personal data lost during the security incident, or can you not say for sure that the data has been illegitimately processed?

Yes > This is a data leak. You are obliged to report this.

No > This is not a data leak. You do not have to report this.

If you know it is a data leak: try to limit the damage as much as possible. Destroy the incorrect print-out, withdraw the authorization, or revoke incorrectly sent emails.

 

4.      Report the data leak with the local Data Protection Authority (if necessary)

If you have to report a data leak, you can usually do this by using the report form on your local Data Protection Authority website. You will need the information from step two in this article for this. Additionally, you have to indicate the impact of the data leak. Whether the parties involved have been informed and what measures you have taken to prevent leakage from happening again.

 

5.      Report the data leak to the parties involved (if necessary)

If the parties involved need to be informed of the data leak, the local DPA wants this to be done ‘without undue delay.’ There are no further indications as to how this has to be done. It is essential to carefully consider how you are going to inform the involved, such as your clients. Your organization’s reputation is going to suffer quite some damage. An excellent way to go about this is by advising how to deal with data leakage consequences. Make sure that you have prepared communication formats you can quickly send, should a data leak occur. Keep in mind that if you have to provide an overview of the leaked data, you must do this securely. 

 

How do you deal with data leaks?

The most substantial part of the work in dealing with the data leak notification obligation in the early stages since it requires a high level of awareness in the organization. Want to know how to increase the awareness regarding privacy and the GDPR in your organization? Download the ebook below to find out.

 

Download the e-book

07

Secure email solution by ZIVVER

ZIVVER can provide you with a secure email solution, regardless of the size of your business!

rick_closeup

Rick Goud

CEO

ZIVVER_safe-mailing_app

 

ZIVVER is a secure email platform that focuses on preventing data leaks caused by human error. ZIVVER protects businesses against the repercussions of data leaks such as reputational damages and GDPR fines. It also protects your customers against unwanted access to their private information.

Benefits of implementing ZIVVER in your organization:

  • Real-time monitoring of recipients, email, and attachments
  • Email retraction
  • Asymmetrical encryption
  • 2FA for accessing emails
  • Outlook plugin
  • Web and mobile applications
  • Guest user support
  • Secure conversation starters
  • Corporate guest branding

ZIVVER secure email solution is the most comprehensive and future proof in the market. Implementation is a breeze, and the learning curve is minimal since ZIVVER integrates seamlessly to outlook, and Its web and mobile platforms resemble popular email clients.  Also, it gives you the option to customize the secure email environment according to your corporate branding. Conversation starters for guest users is another opt-in feature that allows guest users to start an email conversation in the same secure environment used by your organization.

 

ZIVVER helps your organization to achieve GDPR compliance

By implementing ZIVVER in your organization, you’ll address one of the main GDPR requirements; sensitive/private data protection. Additionally, ZIVVER is a Dutch company. The Netherlands is notorious for being a pioneer of data privacy laws. Respect to individual privacy is part of the Dutch DNA, and therefore part of ZIVVER's as well. Additionally, ZiVVER is always a step ahead by adapting its services before new legislations are put in place.

 

File sharing up to 5TB


One unique ZIVVER feature is the ability to send up to 5TB of data as an email attachment. No other service in the world offers such large file sharing capability via an email attachment. The chances are that you will never have to transmit a set of data this big. However, the old saying "never say never" applies since as time goes by, data become denser, and storage solutions increase in size accordingly. Nevertheless, the option is there, and you will never have to worry about the size of the files you wish to share. If in the future 5TB file sharing becomes part of the routine, ZIVVER will have you covered.

 

The safest method of email encryption


ZIVVER employs symmetric email encryption, which consists of two keys to encrypt a message. Secret keys are exchanged over the internet or a vast network. It ensures that malicious individuals don't get access to the message. It is important to note that anyone with a secret key can decrypt the message, and this is why asymmetrical encryption uses two related keys to boosting security. A public key is made freely available to anyone who might want to send an email to you. The second private key is kept a secret so that only you and the recipient(s) can read the email.

 

Two-factor authentication (2FA) for recipients


Every email sent via ZIVVER requires that the recipient identify themselves via two-factor authentication (2FA). This way, there will never be a doubt that the message reaches the correct individual(s). ZIVVER allows 2FA via a code sent to the recipient mobile phone, via email, or 2FA apps (such as Google authenticator).

Are you curious regarding the positive impact that the ZIVVER service can have on your organization? Check out our pricing plans.

 

Get started with ZIVVER today