So first off, I have a confession to make: I stole the title of this post from someone else!
The companies were called Dracoon and NetSphere and they did a joint presentation which I saw at this year’s Infosecurity Europe conference. The former developed a file sharing app and the latter an instant messenger, both of which are fully GDPR certified.
Amongst all the presentations, theirs was one that seemed to me to strike at the heart of a real-world problem that most of us can relate to, but the specifics of which might not be obvious to all — though one of our charity clients raised some related concerns in a recent meeting.
That concern was around how, when communicating with young people using a forum like WhatsApp, you can control not only the content of the messages – to prevent abuse or inappropriate language perhaps – but also protect the personal details – i.e. the phone number – of the group members. Who has the responsibility to police the conversations and the material shared? How do you do that? Where exactly is that data stored for GDPR purposes?
The problem of using third party, and often free, tools like WhatsApp (to have conversations) and DropBox (to share files) in a GDPR regulated world is not trivial. The paid-for versions are less of a problem, because you get some additional security through the SLA but also through some form of centralized management. But the convenience of free messaging and file transfer services is simply, in many cases, too easy to pass up.
Now, this isn’t a sales pitch for any specific alternative products, but it is worth just briefly explaining their thinking. The problem they are addressing is how to use messenger and file sharing applications securely, keeping it within your managed environment and under your control. Since email is now considered pretty old fashioned and an overly formal way of communicating, and instant messaging is so prevalent and easy to use, the question of how to control what’s stored there is an increasingly important one in order to prevent your data leaking out all over the place.
What’s the problem?
Take file sharing. You need to transfer a file to someone outside your organisation but it’s too big to email. Without thinking, you upload it to your personal DropBox, or maybe WeShare, and send it on. What do you do next? Do you delete that file from your personal DropBox account? Probably not. Do you stop sharing that folder with the person after they get it? Again, maybe not. Have you shredded only that file or folder? Are you sure?
So you have a GDPR problem; you don’t know where all your company data is anymore, nor who it’s shared with.
The problem from a compliance point of view is simple: if you are not in control of your data, including files and personally identifiable information, you may have a breach.
What’s the Solution?
Now here’s where I pitch using Office 365, right? Well, sort of. In fact, it doesn’t actually matter what you use, as long as you are in control of it.
Yes, we use Office 365, and so do all our clients. Do they also use DropBox and WhatsApp? I’d be surprised if every single one of our supported users didn’t use at least one of these two things.
We only use our Office 365 account for all file access and storage, plus a limited selection of tools on our office server (no data though). We communicate almost exclusively through the Teams mobile app, again all kept within the Office 365 environment, though we also use Signal, a great – and highly secure – alternative to WhatsApp for more social messaging.
If we need to share a document with anyone, we set a time limit on the access, and set Read Only to prevent the person from editing it. We have separate controls on sending emails to external recipients that alert us if someone has sent anything that matches certain data formats, such as a bank account sort code or account number, national insurance number, or other identifiable data, so we know if someone has sent anything outside our organisation that they perhaps should not have done.
Can you force people to use your tools?
This is difficult. It’s hard to force people not to use WhatsApp on their phones. If you provide staff with company mobiles you can manage them with things like Intune to restrict what applications they can install on them, but not their personal devices.
You can prevent people from installing DropBox on their company PCs quite easily, by restricting admin rights. You can also use basic web filtering to stop them from accessing 3rd party file sharing sites on their PC or on personal devices on your network. But unless you want to get very draconian about it, it might be more trouble than it’s worth totally restricting all these things, and there is always going to be the odd exception to the rule.
What you can do is provide the tools to everyone that they should be using and make it clear that they shouldn’t be using anything else. If you have written policies that govern this—and you should—then you should make everyone sign up to your code of practice. That way you can at least prove that you have taken reasonable steps. If someone breaches those rules you can prove that you did make it clear that they shouldn’t have used anything else, and the fault is on the user; though as the employer you might not totally escape liability.
As always, user education and awareness are key. Give people the tools they need to do their job and make it clear why they are there and what the implications are for going outside that.
If your interested in learning more, give us a call. We’re always happy to chat.