Congratulations, you DO have to comply with GDPR

I like a good crime story. I always enjoy learning the machinations of some “perfect crime” and the detective’s efforts to unravel the details in time. In a way, it offers an escapist view into what we do every day. But while the bad guys in the movies are often cast as anti-heroes trying to score “one last job”, our bad guys are just trying to take money or disrupt our business.

Maybe that’s why I always find myself utterly enthralled in the details of a new phishing attack vector. I subscribe to a few blogs that get into new attacks pretty deeply, and the things the bad guys are doing these days are insanely clever, like going after payroll systems because the invalid transactions have to be detected by employees who didn’t get their paycheck, which typically gives the attacker an extra 2 weeks before being detected. Or a new one I saw just today where attackers use a compromised account to forge legitimate communications to send infected documents to people who would otherwise have no reason to suspect anything was amiss. As I’ve mentioned before, it’s a whole lot easier to get someone to click on a link than to remotely execute code on their machine.

But the fact that these attacks are known to researchers means they’ve been detected and beaten…to varying degrees. Attackers continually experiment with new approaches, and researchers constantly chase.

If you’re doing security the old-fashioned way, you have little chance of avoiding compromise. Traditional anti-virus just isn’t designed to handle the current threat landscape, and most malware is fileless and runs in memory. And to echo what most researchers constantly push, the best defense is to ensure your systems are fully patched.

But as users, we take the “acceptable” amount of risk, buy only what seems relevant to our security needs, and try to avoid situations that feel risky. In essence, we apply our real-world security model to our online world. It isn’t enough, and at the end of May, some organizations are going to learn a very expensive lesson on systems & data security.

In the past 6 months, I have asked at least 150 IT people face-to-face if they’re ready for GDPR. One or two had concerns about international employees, but the overwhelming majority thought GDPR was what Douglas Adams would refer to as an SEP: somebody else’s problem.


Let’s clear this up right here, right now: if you have ever sent even so much as a digital newsletter to an EU citizen, GDPR could impact you. If you have information about an EU citizen in any of your systems, you are on the hook. Period. Full stop.

Ever gotten an email from an EU citizen that has a phone number in the signature? Congratulations: you own regulated data!

Now what are you going to do about it? With fines beginning at $4M or 4% of your company’s gross annual revenue (whichever is higher!), this is not a regulation we can safely ignore just because we’re on the other side of the pond. The internet doesn’t care where you do business.

The good news is there’s still time, but not a lot. I’ve found a handy countdown timer for reference:

So you have that much time to secure your systems, but GDPR is more than system security: it’s policy and process, as well. The good news is that if you’re running Microsoft cloud solutions, the systems are largely in place. Almost all Office 365 and Azure systems and services are—and have been—compliant with the new regulations. Even better, if you happen to be running Microsoft 365 E5, you have a custom-built suite of capabilities seemingly designed to meet the new regulations head-on, with Data Loss Prevention, information protection, Advanced Data Governance, multi-factor authentication, Advanced Threat Protection (all 3 flavors: Windows Defender, Azure, and Office 365), Cloud App Security, Identity Protection, you name it.

If you’ve already moved down that path, your principal concern will be policy. Conveniently, Microsoft has put together some tools at to help, including some brief interactive questionnaires to help you understand just how much work you’re facing to be ready for the May deadline. Of course, those tools only help you understand where you are today. There are several dozen controls and policies that have to be in place, and just having the E5 suite doesn’t mean it’s been fully implemented.

We have a ton of experience in the Microsoft 365 space. It’s pretty much where we got our start, where we claim our 1M+ deployed seats through Office 365 & EM+S, and where we’ve supported clients all over the world deploy and maintain scalable security solutions. We’re ready to put on our detective hats and jump into your story, bracing you for the crime drama lurking beyond the May 25 deadline.