By now, you’ve undoubtedly read a lot of stories about how one technology or another is going to provide a magic solution for compliance with GDPR, the European privacy law that went into effect May 25.
This is not that kind of a post. GDPR is, frankly, extremely complicated and there are no silver bullets. I’m not going to be all sunshine and rainbows about it: GDPR compliance is probably going to require a lot of time and a lot of lawyers. (And the definition of what GDPR compliance even means will probably change over the coming months and years, as various cases work their way through the courts.)
There is, however, one extremely useful tool you should add to your compliance toolkit: DMARC.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union (EU) that went into effect on May 25, 2018. It aims to protect the personal data of EU residents by giving them greater control over how their data is collected, processed, and stored by organizations.
GDPR applies to all companies, regardless of location, that handle the personal data of EU citizens. And that means it probably applies to you. Even if it didn’t, GDPR demands good privacy controls that protect consumers—and that’s the future of communication.
Data subjects (individuals whose data is being processed) have several rights under GDPR, including the right to access their data, the right to correct inaccuracies, and the right to have their data deleted. Additionally, organizations are required to implement appropriate technical and organizational measures to safeguard personal data from unauthorized access, loss, or disclosure.
Failure to comply with GDPR can result in severe penalties, including fines of up to €20 million or 4% of the company’s annual global revenue, whichever is higher. The regulation also mandates that organizations report certain types of data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach.
How DMARC Helps with GDPR Compliance
The value of DMARC for GDPR is quite simple: It provides visibility into all the services that are sending email in your name.
At a time when the average company uses 91 different cloud-based marketing tools — many of which send email “from” you — this is a handy thing to have.
That’s because GDPR requires you to have Data Processing Agreements (DPAs) with every cloud service provider that handles European consumers’ data on your behalf. And email addresses count as consumer data — not to mention any other data you might be sharing with a provider of email services, such as the names associated with those email addresses, open rates, tracking of any links the recipients might click on, etc.
The problem is that most companies have only a vague idea of which the cloud services they use. Bob in Marketing might have set up an account with some Salesforce add-on years ago that no one outside his team is using and nobody in IT ever heard about. But meanwhile, it’s sending email to customers and prospects.
In most organizations, there’s no easy way to find all these “shadow IT” cloud services. But if they send email using your company’s domain name(s) in the From fields, DMARC reveals these services.
That’s because, once you have DMARC in place, you get reporting. If DMARC is correctly configured for your domains, every message with your domains in the “From” field that hits a DMARC-compliant mail gateway (which translates to 75% of all the inboxes in the world) will generate a line in an aggregate report (RUA) that gets sent back to you. These reports give you the data you need to identify the senders — and from there, to make sure your company has a DPA in place with each one.
For this purpose, DMARC can be set to a monitor-only policy (p=none). Although that provides no protection from email impersonation, it does allow companies to start collecting aggregate reports and gaining visibility.
And once you move your DMARC policy from simple visibility to enforcement (p=quarantine or p=reject), you can guarantee that only those senders with which you’ve signed a DPA will be authenticated and therefore able to send email on your behalf. That will then protect you from any unintended distribution or collection of data in your name.
Use Valimail to Read DMARC Reports
DMARC reports can be very difficult to parse. They’re essentially raw XML files listing senders by IP address. Valimail’s Service Identifier translates those into a much more readable list of services, and does it with great accuracy and detail. Valimail’s free domain analysis shows this in action, and can give you a snapshot of exactly who is sending mail for you.
Finally, Valimail’s infrastructure is also GDPR-ready, Privacy Shield certified and SOC2 Type 2 compliant. And we handle no PII (personally identifiable information), so you’re not putting any customer data at risk when you use us to automate your DMARC deployment and management.
Take the first step towards DMARC enforcement and GDPR compliance by signing up for Valimail Monitor. Our tool simplifies the process of reading and understanding DMARC reports, giving you clear visibility into all the services sending email on your behalf. With Valimail Monitor, you can guarantee your email infrastructure is secure, your domain is protected, and your compliance efforts are streamlined.
Sign up today for Valimail Monitor (for free) and take control of your email security.
