We’re just a few short months away from the EU General Data Protection Regulation (GDPR) coming into law on May 25th, promising an unprecedented shake up of the way businesses manage and secure data. Any organization that collects or processes data relating to EU citizens is likely to fall under the regulation, making it a priority for any company with a global scope.
Some organizations are worried that the GDPR’s strict new mandates on the way data is collected and used will be too restrictive and prevent them from operating effectively. Others feel it will inhibit innovation around data analysis, with companies being afraid to develop solutions due to the risk of infringing on the regulation.
However, I believe the intent of the regulation was never to stifle business innovation or economic activity. GDPR is unusually broad for a regulation of its stature, giving companies a great deal of freedom in how they approach its requirements. All businesses should be able to follow the data security and privacy requirements specified in the regulation without severely limiting how they operate and innovate.
GDPR has the concept of both a data Controller and a data Processor. A controller of data is also a processor, but not all processors are considered controllers. As Agari has staff both based in the EU and comprising of EU citizens, Agari is considered a controller of information under the GDPR. This means we have a significant duty to safeguard the employee data we hold and notify our EU citizen employees if any data breach occurs.
Because Agari’s products, both Customer Protect and Enterprise Protect, operate on data that could be considered Personally Identifiable Information (PII) under the definitions of the GDPR, including personal email addresses, Agari is considered a data processor as well. The remainder of this blog will focus on the processor aspects of the GDPR and how they affect Agari’s products and customers of Agari’s products.
We use Amazon Web Services to handle all data processing and storage, which ensures that the data is fully secured and encrypted at rest and in flight. Amazon has been very vocal about its compliance with the GDPR and has provided a useful guide on how its services enable compliance here.
Customer Protect operates on DMARC aggregate and forensic data provided to Agari by email receivers after receiving authorization to provide that data to Agari from Agari’s customers.
Organizations that publish DMARC records have the option of receiving either Reporting URI(s) for aggregate data (RUA) or Reporting URI(s) for forensic data (RUF) or both and Agari Customer Protect leverages these aggregate and forensic reports in the delivery of the service.
“Internet Protocol (IP) addresses may be considered personally identifiable information (PII) if they can be used to identify a specific individual. In some jurisdictions, the IP address assigned by your Internet Service Provider (ISP) to your home modem may be considered PII.
The IP addresses in the DMARC reports are those of the originating Message Transfer Agent (MTA). While people can run their own MTA, the vast majority of email is sent via MTAs that act as gateways or relays for email from many individual senders. In this general case, the reported IP addresses would not be considered PII on their own as they are not assigned directly to specific individuals.”
DMARC forensic data (RUF) does contain the email address of the sender of the message that failed DMARC and in some cases that email address could be considered PII. Agari discards and permanently destroys all RUF data after 14 days. However, for customers who would like to limit the collection of all RUF data, they have two options, 1) Publishing a dmarc record without the ruf= field will ensure that no ruf data is sent by the ISP’s to Agari and therefor Agari collects and processes no PII or 2) within Customer Protect, customers have the option to select a ‘Modified Data Collection’ policy which will strip out ALL PII information, including any email addresses and Agari will not store any PII information received from RUF data. This data is permanently discarded before being stored in the Agari systems and is not available for recovery.
Agari Enterprise Protect, which defends organizations from targeted attacks such as Business Email Compromise, is impacted by the GDPR. The solution collects email addresses, which are a form of Personally Identifiable Information (PII) and are therefore included in the regulation.
Based on Agari’s understanding of GDPR, in consultation with other large, multinational organizations doing business in the EU, data containing personally identifiable information (PII) as defined by GDPR, including email addresses of individuals, may lawfully transfer and reside outside of the EU boundary for the purposes of processing such data to legitimately protect their organizations from cyber attacks.
Specifically, Chapter 2, Article 6 – Lawfulness of processing, Section 6 states that:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Chapter 5, Article 46 – Transfers subject to appropriate safeguards, Section 2.3,
- In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
- The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules in accordance with Article 47;
- standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
- standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
- an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
- an approved certification mechanism pursuant to https://gdpr-info.eu/art-42-gdpr/ together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
Specifically, Rec.56-57; Art.25(1)-(6), 31(2) Cross-Border Data Transfers to a recipient in a third country may take place if the third country ensures an adequate level of data protection. Adequacy shall be assessed in the light of all circumstances surrounding the transfer, in particular:
- the nature of personal data;
- the purpose and duration of processing;
- country of origin and country of final destination;
- the rule of law; and
- professional rules and security measures.
The Commission may determine third countries to be Adequate Jurisdictions.
It is Agari’s belief and assumption that we meet all applicable data protection requirements as laid out by GDPR for the purposes of cross border transfers of information, data processing, and data retention.
As a security specialist, protecting all of the data in our care has always been ingrained in Agari’s culture. Whether it’s that of our own employees, or information collected as part of our email analysis, we are confident that we will meet and exceed the demands of the EU GDPR when it comes into force.
If you have any further questions, please contact your Agari Account Manager or Customer Success Manager.