CCPA Is Here To Stay

Are You Prepared for CCPA?


Fittingly for the beginning to another decade, California chose to pull out all the stops with its 2020 New Year’s goals. The California Consumer Privacy Act or CCPA became effective on January 1, 2020. Passed collectively in June 2018, it’s the principal law in the US to set up a far-reaching set of rules around consumer information, much the same as the European Union’s General Data Protection Regulation or GDPR.

For the internet consumers in California, life won’t be fundamentally extraordinary. But as soon as the law is settled, and relying upon how it’s upheld, its effect could go far to deciding if the 2020s become the decade when the US begins paying attention to consumer privacy rights.

New Decade with better safety

What is CCPA exactly?

CCPA gives consumers “the right to know” and “the right to say no.” That means consumers will, as of today, be able to see what data companies have gathered about them, have that data deleted, and opt-out of those companies selling it to third parties from now on.

The CCPA applies to any company that does business in California and either makes at least $25 million in annual revenue, gathers data on more than 50,000 users, or makes more than half its money from user data. For California residents, it creates a handful of new rights over their data.  It is important to remember that we’re not simply discussing the big giants of the world, yet any enormous organization that does a great deal of business on the internet or, in other words, any large organization.

NOTE: It is also important to note that the company not necessarily need to be operating in California but even if they are operating out of state but are still collecting information from California residents, CCPA applies to them.”

Many companies already had to implement processes allowing European users to delete their data or opt-out of tracking thanks to GDPR, which laid some groundwork for the CCPA. Some platforms, including Facebook, have built tools allowing users to exercise the rights that the CCPA now guarantees to California residents.


Top 5 guidelines of CCPA to affect the working of business:

  1. Stocking and selling of individual information.
  2. CCPA grants right to access and erase the information.
  3. New individual right to unsubscribe any sort of information.
  4. Refreshing of service-level contracts with third-party processors.
  5. Remediation of data security holes and framework vulnerabilities.


What happens if a company doesn’t comply with the CCPA?

CCPA calls for punishments of up to $7,500 for purposeful infringement however it depends on California’s Attorney General to authorize this. Meanwhile, individuals can sue for $100 to $750 in the occasion an organization doesn’t obey the privacy laws and gets hacked.


In summary

The CCPA is the first overall U.S. information assurance law to come into place. It will require organizations in California to put resources into consumer privacy laws. Organizations should now contemplate and comprehend this new law, as their repercussions are probably going to be felt for a long time.

Getting ready to conform to CCPA is anything but a little errand, an adequacy status program requires some investment and exertion even to cover the accompanying fundamental components of CCPA like:

  • Discover where your organization is storing personal information including information which is hidden in unstructured sources like email and file servers.
  • Determine how your organization would respond when a consumer exercises their rights to the deletion of their data,
  • Train the staff to comply with CCPA.
  • Build up an arrangement for keeping up consistency as your business changes.

Why choose Waterford Technologies?

Waterford Technologies has more than 20 years of experience in unstructured data compliance for email and files. By working with us, we can set your organization on the path to unstructured data compliance, allowing you plenty of time to put the necessary controls in place.

If you have any questions about CCPA or GDPR regulations or if we can help in any way, please feel free to contact our sales team now or request a free demo to see how Waterford Technologies can help your organization.


Garima Arora

Marketing Specialist

Waterford Technologies



Is Office 365 enough for your email compliance?

Ensure Compliance, Save Money and Enhance Efficiency with Office 365

There are no doubts that office 365 is an invaluable tool for productivity and collaboration in the cloud, however, legislation with the introduction of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) or indeed The Freedom of Information Act (FOIA), managing email compliance for office 365 can be a challenge and it is important to be aware of the compliance gaps it presents.

In parallel to this, cloud adoption is growing unabated, with email being one of the key workloads that organisations have identified for the cloud. Email is a business-critical platform that typically holds vast amounts of sensitive and confidential information while there are eDiscovery capabilities within O365 that need to be carefully considered.

“Some reasonably sound eDiscovery capabilities are included in Office365, but these have some limitations.”

Osterman Research (2019), Fill the gaps in office365 data protection

Office 365 (E3 and E5 ) versus Third-Party Solutions

There is a maze of licensing options within O365 and it can be difficult to navigate what is suitable for your organisations’ requirements. As well as, that there are significant cost differences between different options, for example between the lower end E1 licenses and higher-end E5 licenses. From a compliance point of view, you will need a minimum of Microsoft E3 licenses with the Advanced Compliance add-on or else full Microsoft E5 licenses to ensure you are covered from an eDiscovery perspective. This is where utilizing a third-party solution for the compliance piece can deliver benefits such as significant cost savings, better capabilities, and time savings.

Source: Osterman Research, Using Third-Party Solutions with O365, 2019

To learn more, watch our webinar ‘Is Office 365 enough for your email compliance’. It will discuss further in-depth and highlight the gaps in O365 compliance that Waterford Technologies can address. Areas that will be explored include;

  • Compliance Gaps
  • Shared Mailboxes and the issues they present for compliance
  • O365 complexity
  • The importance of Retention Management
  • The issue of costs and how to slash these without compromising on compliance

Click on the link to watch now:


Why Chose Waterford Technologies?

Waterford Technologies is a pro-active Email and file Compliance and Management focused, solution provider. Waterford Technologies has vast experience in helping our clients meet their compliance requirements, reducing risk, and addressing eDiscovery requests easily, quickly and successfully.

Contact our Sales team now or request a free demo to see how Waterford Technologies can help your organisation.


Garima Arora

Marketing Specialist

Waterford Technologies

Keep your email and file databases POPI compliant

South Africa’s Protection of Personal Information Act (POPIA)

Keep your email and file database POPI compliant
South Africa’s POPI Act

Data privacy is a worldwide concern for many businesses – especially as regulations such as GDPR, CCPA, and POPIA (the Protection of Personal Information Act) have come or are coming into effect. Want to keep your email and file databases POPI compliant? Read on…

So What is POPI Act or POPIA?

POPI refers to South Africa’s Protection of Personal Information Act which seeks to regulate the Processing of Personal Information. It is South Africa’s equivalent to the EU’s GDPR. The POPI Act is well on its way to being implemented in South Africa. In order to ensure your data practices don’t contradict the act you need to be prepared, once implemented companies will have only 12 months to comply.

Who does POPIA affect?

POPIA affects all organisations that store, collect or process personal information are required to comply.

Personal Information broadly means any information relating to an identifiable, living natural person or juristic person (companies, credit cards, etc.) and includes, but is not limited to:

  • contact details: email, telephone, address, etc.
  • name of the person if it appears with other information relating to the person,
  • demographic information: age, sex, race, birth date, pregnancy, marital status, ethnicity, disability, religion, sexual orientation, language, etc.
  • history: employment, financial, educational, criminal, medical history
  • biometric information: blood type etc.
  • the views or opinions of another individual about the person.
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

“The POPI Act will affect almost all businesses in South Africa”

Does POPI really apply to our company?

Accountability for personal data is the responsibility of each public or private body. Generally, the Responsible party must be a resident in South Africa or the processing should occur within South Africa (certain exclusions apply).

The risk includes reputational harm, fines and imprisonment, and paying out damages claims to data subjects. The greatest risk, after reputational harm, is a fine for neglecting to secure record details.

There are also some benefits associated with complying with the POPI act, it is safe to say that consumers will feel more confident doing business with companies that are transparent and showing compliance with the POPI legislation.

Where POPI does not apply. Exclusions include:

  • purely household or personal activity.
  • some state functions including criminal prosecutions, national security, etc.
  • journalism under a code of ethics.
  • judiciary functions.

Why should I comply with POPI?

POPI endorses transparency about what personal information is collected and how it is to be processed. This honesty is likely to increase customer confidence in an organisation, public or private.

POPI compliance includes capturing and retaining the minimum required personal data, ensuring the accuracy of that data, and removing the data that is no longer required (Similar to GDPR).  These actions will help improve the overall reliability of the databases companies hold.

POPI compliance also requires that the organisation can identify personal information and can take reasonable measures to protect the same data. This will likely reduce the risk of data breaches and the associated public relations and legal ramifications for the organisation.

Non-compliance with the Act could expose the Responsible party to a penalty of a fine and/or imprisonment of up to 12 months. In certain cases, for more serious offences, the penalty for non-compliance could be a fine and/or imprisonment of up 10 years. It is vital that organisations keep their email and file databases POPI compliant.

How can Waterford Technologies help?

Data compliance starts with visibility – Waterford Technologies gives clients, the visibility they need for effective monitoring, eDiscovery, auditing and reporting across a variety of data regulation standards. Our ComplyKEY suite empowers you to easily reduce email and file risk, detect and respond in real-time to threats and prove regulatory compliance with acts such as POPI, ensuring that you keep your email and file database POPI compliant.

ComplyKEY is a compliance and data management platform where you can find every single email and file in your organisation, conduct e-discovery, freedom of information and subject access requests directly from your desktop anywhere.

Key Benefits

Governance- Proactive approach to data transparency by classifying before archiving is a key requirement of POPI.

Compliance – Preventative monitoring of email internally & externally to identify & remediate risk.

Data Retention Management and Erasure- Increases efficiency, retention can be controlled by time and/or by person groups. As mentioned above POPI compliance includes capturing and retaining the minimum required personal data, ensuring the accuracy of that data by removing the data that is no longer required.

Investigate & Message Filtering– Advanced e-Discovery with keyword search, word lists, & regular expressions (REGEX) capabilities.

Be POPI compliant

Although you have a one-year grace period to update your systems, the time to prepare for POPI is now. Get in touch with Waterford Technologies to discuss how we can help your email and file database POPI compliant.


Laura Stotesbury

Head of Marketing

Waterford Technologies

First Multi-Million GDPR Fine in Germany

€14.5 million fine for not having a proper data retention management policy in place

GDPR Fine for data retention management

On October 30th, 2019, the Berlin Commissioner for Data Protection and Freedom of Information made history by delivering her first multi-million GDPR fine to the German real estate company, die Deutsche Wohnen SE for not having a proper data retention management in place, direct infringement of the General Data Protection Regulation (GDPR)

This is the highest GDPR fine to be issued in Germany to date.

Why the infringement?

Deutsche Wohnen SE has been accused of utilising an archiving system for the storage of personal data pertaining to their tenants which does not facilitate the erasure of data that is no longer necessary or required. This data was of a personal nature i.e. it included personally identifiable information (PII), such as tax data, social security, and health insurance data, bank statements, employment contracts payslips, etc.

Deutsche Wohnen SE was audited in June 2017 and was made aware that they were in breach of data protection regulations at the time. Following another audit in March 2019, Deutsche Wohnen SE was again unable to prove a legal ground for the continued retention of the same PII data or demonstrate the ability to clean up their databases by deletion of no longer required data.

Deutsche Wohnen SE did, however, try to start a project to clean up the data however, the Berlin DPA found that these measures were not adequate.

“Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.” Maja Smoltczyk, Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA)

GDPR articles enforced

Article 25 (1) and Article 5 of GDPR were actioned against Deutsche Wohnen SE. Article 25 (1) GDPR requires data controllers – subject to  additional preconditions – to provide for appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR and protect the rights of data subjects. Article 5 in brief states that that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).

Calculating the €14.5 million fine

It seems that the Berlin DPA applied the recently published fining guide of the German supervisory authorities. Looking at the calculations it is apparent that 2% of annual revenues were enforced instead of the 4% of annual revenue that is laid down by GDPR as a maximum infringement of Article 5. In order to reduce the fine that Berlin DPA has taken into consideration that the company had taken some measures to try to remedy the infringement as notified back in June 2017.

“I recommend all organizations processing personal data to review their data archiving for compliance with the GDPR.” Maja Smoltczyk, The Head of the Berlin DPA

Data commissioners in Europe are really starting to up their game when it comes to issuing GDPR fines. Controllers and processors of data must now take urgent action to review their processes and examine their handling of personal data, regardless of where they are situated. Waterford Technologies can readily assist you with the creation, adoption, and implementation of such data retention policies.

ComplyKey offers more granular control of your email and file data for retention and destruction management

Waterford Technologies offers a retention management solution for GDPR and other data protection regulations, that is comprehensive, easy to use and powerful at protecting and enforcing your company’s retention policies.

The ability to create multiple retention categories and tags and assign different periods to specific users and departments gives you total control over email and file retention and destruction.

Enforce Retention Policies

One of the greatest assets of an email and file archive is control over the retention of messages in the archive. With the Waterford Technologies retention feature, you can ensure that your retention policy is adhered to by creating retention categories and tags or setting custom retention periods for individual users or emails.

Retention can be controlled by time and /or by person groups. Person groups can be created that contain current and former users and then retention categories can be applied to those groups. For example, your organization wants to set a retention policy of 5 years for all message but users in the Executive or Financial organisations need to be kept for 7 years. MailMeter set it and forget it Retention Policies make sure that messages are kept according to your record retention policies.

Intelligent Destruction

ComplyKey’s retention feature automatically evaluates your retention policy on every scheduled run. If the policy has been changed at any time, the module will automatically enforce the new policy and purge emails tagged for deletion on its next run. This allows you to intelligently control not only retention but also the destruction of email.

Avoid Accidental Deletion

The ability to retain specific emails or messages from specific users and apply a litigation/legal hold to relevant emails allows you to avoid accidental or wilful deletion. For example, applying a litigation hold to an email will ensure that it will be retained past its normal retention period. After the mail is no longer required, removing the litigation hold will mean the mail is automatically purged on the next scheduled run.

Meet Regulatory Requirements

Implementing an adequate retention policy is key to ensuring regulatory compliance. Your business may be subject to many regulations including Sarbanes-Oxley, FINRA, HIPAA, and GDPR. The ability to create sophisticated and granular retention policies with ComplyKey will help your business to achieve regulatory compliance.

ComplyKey Retention Benefits

  • Enforce email retention policies
  • Protect against accidental deletion
  • Prevent wilful destruction of email
  • Meet regulatory requirements

Take urgent action to review your companies processes and examine your handling of personal data, regardless of where you are situated. Waterford Technologies can readily assist you with the creation, adoption, and implementation of such data retention policies.

Contact our Sales team now or request a free demo to see how Waterford Technologies might be able to help your organisation with their data retention management for GDPR and numerous other global data protection legislation.


Laura Stotesbury

Head of Marketing

Waterford Technologies


Utility Companies – How Much Personal Data Resides On Your Servers?

How to implement proactive email and file compliance in the digital era.

Data compliance and management has become a key requirement for businesses in today’s economy due to the arrival of new and updated data regulations such as GDPR, MiFID2, FOIA & CCPA. In the digital age, companies are responsible for increasing amounts of data, both of their customers as well as their own employees.

This is especially important for the Utilities Sector where large utility companies in the digital era are driven primarily by data.

Continue reading “Utility Companies – How Much Personal Data Resides On Your Servers?”

The True Cost of Data Non-Compliance


For many years now, people have talked about the importance of data. It has been argued that due to the insight and knowledge that can be taken from it, data has now become more valuable than oil.

Nowhere is this more obvious than within large organisations, who can hold TBs of unstructured data (data that does not have a pre-determined model) of their customers and employees.

Continue reading “The True Cost of Data Non-Compliance”

Why Credit Unions need to understand their unstructured data.

How to manage the unstructured data explosion and manage GDPR compliance

The financial services industry is facing a period of extensive changes in the forms of fintech disruption and challenging data regulations. In order to remain relevant in this new arena, credit unions must be able to integrate and optimise all their data.

Continue reading “Why Credit Unions need to understand their unstructured data.”

Waterford Technologies Launches MailMeter- Version 7.1

Waterford Technologies launched MailMeter Cloud 7.1

Organizations are finding today that meeting regulatory requirements and complying with new and current legislation is a challenge.  Unstructured data like email presents a whole range of hurdles when trying to prevent violations or when responding to discovery requests. 

Unstructured data makes up 80% of storage on your servers.
It is generated by conducting your day to day business and consists of email and files such as documents, images, and videos.
Without the correct management tools, this particular data is difficult and time-consuming to see and uncover,- a key requirement of GDPR, FOIA, and general data regulations.

Waterford Technologies has significantly invested in the development of our product set to provide Compliance functionality for unstructured data in both email and file. We have introduced a powerful smart GDPR, FOIA, and eDiscovery solution reimagined to make it easier for you to effortlessly manage your email data- no matter the size of your company.

Available this July, Waterford Technologies are delighted to announce the launch of MailMeter  7.1, enabling organizations to meet demanding compliance requirements and address eDiscovery requests easily, quickly and effectively.

What has changed?

MailMeter 7.1 is a pro-active Microsoft Azure SAAS cloud and on premise-based compliance and data management platform where you can find every single email in your organization, conduct e-discovery, Freedom of Information and DSAR’s searches directly from your desktop. The platform gives you the ability to narrow the scope of your search across email using clearly defined criteria giving our clients the visibility they need for effective monitoring, eDiscovery, compliance, auditing & reporting across a variety of data regulations. 

  • New Operations Portal, a completely redesigned user interface – individual search, e-Discovery search, compliance policies and message retention under a single interface
  • Real-time message filtering, tagging, and labeling- MailMeter cloud message filtering enables an organization to define proactive pre-archiving rules that can discard, tag or label messages based on message participants, message type or keyword content in the message to control archive content, identify compliance violations and assist message analysis.
  • Scoped searching- MailMeter Cloud enables authorized users to set up restricted access for eDiscovery or compliance searching. Using scoped searches, archive access can be limited to any search criteria, which specific types of tags can be used, and which type of actions can be performed.
  • Compliance policies- this new feature enables organizations to establish policies that automatically monitor and identify non-compliance email communication. Reviews can quickly be performed to take actions based on internal policies to reduce risk and ensure regulatory compliance.
  • Delegated access- The new delegated Access feature enables one user to access and search another users email stored in the archive. This feature can be used to allow a manager to access their current and former team members email. You will no longer have to retain former users mailboxes to enable other users to access that users’ messages. All activity performed by the delegated user is recorded in the audit trail.

Benefits you will love-

  • Legal search cost savings and speed of recovery 
  • Respond to DSAR’s promptly
  • Help avoid data regulation penalties and reputation damage
  • Storage and back up cost savings
  • Direct line access to storage
  • Encryption of stored data
  • Full audit trail for email


MailMeter 7.1 is a key feature in our ComplyKey Suite- ComplyKey Suite is built around two ideas, First, full visibility into your email and file volume and activity enables you to more effectively and efficiently manage your data 24/7. Second, companies need a tool that is data regulation audit-ready, flexible enough to support your GDPR, FOIA and data compliances policies and agile enough to deal with subject access requests (DSAR), freedom of information and e-discovery searches across your email and file data.
For more information on finding the right data compliance and management solution to fit your organizational needs, simply contact us for a callback.



California Consumer Privacy Act – Are you ready for January 2020?

The CCPA will take effect on January 1, 2020- Are you ready?

Like Europe, California has been trying to pass updated data protection for many years now. While the General Data Protection Regulation came into effect on May 27th, 2018, to a lot of media attention & speculation. The road to rolling out the California Consumer Protection Act (CCPA) has not been as smooth and attention-grabbing.

Continue reading “California Consumer Privacy Act – Are you ready for January 2020?”