Protecting sensitive emails and meeting compliance with GDPR

The Solution

• Zivver Secure Email identifies sensitive data according to organistional business rules, alerting users when they should encrypt before sending.
• Zivver integrates seamlessly with M365, intervening with workflows only when an email needs further attention.
• Security and IT teams have visibility of emails sent, can recall if an email is sent in error, and identify the true scale of a data breach in the instance that sensitive data is missent.

National Star is a charity dedicated to enabling young people with disabilities to realise their potential through education and personalised learning opportunities. The college offers full and part-time residential and day courses for around 200 students aged between 16 – 25 years old, as well as long- and short-term accommodation. Working closely with third party agencies, including local authorities and the NHS , the team needed a secure email solution to protect confidential data.

We spoke with Director of Business Improvement, Simon Bridgnell, IT Infrastructure Engineer, Matt Overton, and Data and Information Officer, Heather Drewett, to understand how Zivver is supporting them:

Reducing data breaches caused by human error

“Over 50% of our data breaches were caused by human error,” Simon explains. “Mainly emails being sent to the wrong person. We’d had too many breaches, some reportable to the Information Commissioner's Office (ICO), and so we needed to put measures in place to prevent these incidents.” 

“A few of our employees who frequently engage with local authorities were using Egress. We were also relying on the native functionality in Microsoft 365.” Simon says.

“We wanted something that could be implemented across the company that wouldn’t be disruptive to roll out and wasn’t complex for our employees. A peer of mine who works at a college was using Zivver and recommended it. Compared to other solutions on the market, Zivver’s implementation is very simple.”

Giving people the choice to encrypt

Simon explains how National Star leverages Zivver to empower people to behave securely, without enforcing security: “Our email security solution needs to be light touch; we didn’t want it to impact our internal communication, and it couldn’t be intrusive or forceful. Compliance was also a factor.”

“With Zivver, we don’t enforce encryption. Zivver prompts the user and recommends when an email should be encrypted according to policy and best practice. However, the employee can override the recommendation if necessary. Zivver enables choice but also protects our people.”

Protecting data and ensuring compliance

Matt explains how Zivver supports the organisation to meet their compliance responsibilities under  GDPR: “We primarily share confidential health information through Zivver. Our nursing staff and residential staff are the most frequent users of Zivver as they regularly engage with NHS organisations; our Assessments team use Zivver to email parents and care givers during the onboarding process of a new student or resident.” 

"It is very useful to us to be able to see whether an email or file has been accessed after sending.” Says Heather. “To know that data might have been sent to the wrong person but that it hasn’t been accessed is invaluable insight for us when containing a breach. Each recalled email is less of an investigation for the data protection team. While a missent email is still a breach, the process is curtailed, and the team isn't committing as many resources to investigate it.”

Recalling emails sent in error and identifying healthcare data before sending 

"Zivver's recall functionality is a highlight for our organisation.” Says Matt. “The ability to revoke access to an email, without time limits, is invaluable. Over the past few months, we have seen two emails recalled - this is two potential data breaches avoided. In some cases, the user has asked the IT team to revoke access to an email on their behalf, although they can do so themselves, too. It is great that, as an admin, we can revoke emails rather than relying solely on the employee.” 

“Unlike traditional email clients, Zivver’s revoke functionality is reliable.” Matt continues. “With Outlook, you are relying on the recipient to allow revocation, and you can’t guarantee the email or file hasn’t been opened. But we have insight into the message status with Zivver and that is very important.” 

“Zivver’s out-of-the-box business rules are very powerful. There is a large index of rules tailored to the healthcare sector; the rules are triggered when sensitive healthcare data is detected, employees are notified, and they can send the email securely.” 

Integration with Mimecast 

"We use Mimecast as a Secure Email Gateway.” Matt explains. “Any messages that we send or receive go through Mimecast to detect malware, prevent phishing, and scan links. The fact that Zivver integrates with Mimecast is great; the Zivver team worked closely with us to make this integration work, and it was very straight forward. The integration has been perfect; emails traverse through Mimecast seamlessly.”

Simple implementation and aftercare

"The implementation was a highlight of our experience with Zivver to date. I’ve never had an implementation that has been quite so easy, even with the Mimecast integration. I really liked the checklist approach; the team provided documentation and resources, and the ongoing service and support we receive from Zivver is great. I have a support agent who I can contact directly, and they respond quickly and in detail. Any small issues we have experienced have been resolved very fast. Considering the technical nature of the implementation and tool, this is amazing.”