We’re just a few short months away from the EU General Data Protection Regulation (GDPR) coming into law on May 25th, promising an unprecedented shake up of the way businesses manage and secure data. Any organization that collects or processes data relating to EU citizens is likely to fall under the regulation, making it a priority for any company with a global scope.
Some organizations are worried that the GDPR’s strict new mandates on the way data is collected and used will be too restrictive and prevent them from operating effectively. Others feel it will inhibit innovation around data analysis, with companies being afraid to develop solutions due to the risk of infringing on the regulation.
However, I believe the intent of the regulation was never to stifle business innovation or economic activity. GDPR is unusually broad for a regulation of its stature, giving companies a great deal of freedom in how they approach its requirements. All businesses should be able to follow the data security and privacy requirements specified in the regulation without severely limiting how they operate and innovate.
GDPR has the concept of both a data Controller and a data Processor. A controller of data is also a processor, but not all processors are considered controllers. As Agari has staff both based in the EU and comprising of EU citizens, Agari is considered a controller of information under the GDPR. This means we have a significant duty to safeguard the employee data we hold and notify our EU citizen employees if any data breach occurs.
Because Agari’s products, both Customer Protect and Enterprise Protect, operate on data that could be considered Personally Identifiable Information (PII) under the definitions of the GDPR, including personal email addresses, Agari is considered a data processor as well. The remainder of this blog will focus on the processor aspects of the GDPR and how they affect Agari’s products and customers of Agari’s products.
We use Amazon Web Services to handle all data processing and storage, which ensures that the data is fully secured and encrypted at rest and in flight. Amazon has been very vocal about its compliance with the GDPR and has provided a useful guide on how its services enable compliance here.
Customer Protect operates on DMARC aggregate and forensic data provided to Agari by email receivers after receiving authorization to provide that data to Agari from Agari’s customers.
Organizations that publish DMARC records have the option of receiving either Reporting URI(s) for aggregate data (RUA) or Reporting URI(s) for forensic data (RUF) or both and Agari Customer Protect leverages these aggregate and forensic reports in the delivery of the service.
“Internet Protocol (IP) addresses may be considered personally identifiable information (PII) if they can be used to identify a specific individual. In some jurisdictions, the IP address assigned by your Internet Service Provider (ISP) to your home modem may be considered PII.
The IP addresses in the DMARC reports are those of the originating Message Transfer Agent (MTA). While people can run their own MTA, the vast majority of email is sent via MTAs that act as gateways or relays for email from many individual senders. In this general case, the reported IP addresses would not be considered PII on their own as they are not assigned directly to specific individuals.”
DMARC forensic data (RUF) does contain the email address of the sender of the message that failed DMARC and in some cases that email address could be considered PII. Agari discards and permanently destroys all RUF data after 14 days. However, for customers who would like to limit the collection of all RUF data, they have two options, 1) Publishing a dmarc record without the ruf= field will ensure that no ruf data is sent by the ISP’s to Agari and therefor Agari collects and processes no PII or 2) within Customer Protect, customers have the option to select a ‘Modified Data Collection’ policy which will strip out ALL PII information, including any email addresses and Agari will not store any PII information received from RUF data. This data is permanently discarded before being stored in the Agari systems and is not available for recovery.
Agari Enterprise Protect, which defends organizations from targeted attacks such as Business Email Compromise, is impacted by the GDPR. The solution collects email addresses, which are a form of Personally Identifiable Information (PII) and are therefore included in the regulation.
Based on Agari’s understanding of GDPR, in consultation with other large, multinational organizations doing business in the EU, data containing personally identifiable information (PII) as defined by GDPR, including email addresses of individuals, may lawfully transfer and reside outside of the EU boundary for the purposes of processing such data to legitimately protect their organizations from cyber attacks.
Specifically, Chapter 2, Article 6 – Lawfulness of processing, Section 6 states that:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Chapter 5, Article 46 – Transfers subject to appropriate safeguards, Section 2.3,
Specifically, Rec.56-57; Art.25(1)-(6), 31(2) Cross-Border Data Transfers to a recipient in a third country may take place if the third country ensures an adequate level of data protection. Adequacy shall be assessed in the light of all circumstances surrounding the transfer, in particular:
The Commission may determine third countries to be Adequate Jurisdictions.
It is Agari’s belief and assumption that we meet all applicable data protection requirements as laid out by GDPR for the purposes of cross border transfers of information, data processing, and data retention.
As a security specialist, protecting all of the data in our care has always been ingrained in Agari’s culture. Whether it’s that of our own employees, or information collected as part of our email analysis, we are confident that we will meet and exceed the demands of the EU GDPR when it comes into force.
If you have any further questions, please contact your Agari Account Manager or Customer Success Manager.