GDPR - The Problem of Personal Data in Email an Backups

Tuesday, May 29, 2018 by Michael Nuncic

With GDPR just a couple of days away, many companies are in their final stages of getting their IT processes and the needed solutions ready to comply with the new regulations. Everybody in a company residing in the EU or doing business with European firms should have heard already about the huge fines of up to 4 % of the worldwide turnover or 20 Million Euros. Many of the articles in the regulation have been already explained not only in our blog, but in several others in the internet both from lawyers as well as well-known IT magazine portal journalists.

The deeper one searches about the topic and its implications on his own company´s processes and IT solutions, he will come to the point, when he realizes that huge amounts of personal data is transferred and stored in emails and email backups. If your are working in a company were your IT solutions are highly integrated and toothed together, then finding all personal information of an individual, that wants his data to be erased under Article 17 of GDPR, is quite easy.

When such an integrated solution which covers many application areas - like for example CRM, CMS and also emails - is used and the solution also creates email backups, than you are lucky. With such a solution you can find all emails with personal information from individuals and securely delete those both on the live server as well as in the backups.

But in reality many companies use different solutions for different tasks. One solution creates backups, emails are stored and handled by an MS Exchange server or a solution from a different vendor or the product manufacturer of a CRM system is different from the integrated Enterprise CMS, which also gathers and processes personal data. And that´s were the difficulties start.

Regarding email backups another challenge appears: When trying to find and securely erase personal data it makes a huge difference whether the emails are still stored on the exchange server or the emails are backuped already and stored on a tape or a disk based solution.

In many small to medium businesses the common IT solutions are not that sophisticated. Regarding emails normally they use their exchange server and their local email clients like outlook on the employees desktop computers. Searching and finding old emails with personal information can be achieved under MS Exchange. These emails can be identified, moved to a special storage space and then securely be deleted by a special erasure software like the ones from Ontrack or Blancco.

Additionally you can use Ontrack PowerControls for Exchange to search and find emails containing individual personal data from requesting that data to be erased from a live server. Ontrack PowerControls is an easy way to quickly and visually look over these emails with its build-in email viewer. However it is not possible to really securely erase these emails in real-time. When using this tool you only move these emails to the trash bin of the Exchange server. Then it will be up to the set Exchange retention time, when the emails will really be deleted for good. And then it is still no so called hard deletion since even then, it would be possible to recover the emails until this particular storage space where they are stored is finally overwritten by new data.

Finding and deleting such emails on the employees computer can also be accomplished quite easy. Once they are identified they can be moved to an appointed storage location and then also securely deleted by a specialized data erasure solution. This can be done either on the client computer or via a network connection by the IT administrator. Both processes only work for those emails being active on the client computer and/or on the email exchange server.

But what about the emails with personal data already being backed up by the administrator or the user?

In short: Technically speaking you can only find and securely erase emails which are still live or accessible on the server! Emails in backups will pose a threat to GDPR compliance with no simple solution at hand so far!

Backed up emails can be only be found, recovered and extracted. But when you securely erase the personal information and emails out of a backed up mailbox, then you can only save the remaining emails as a brand new backup especially when the backup is saved on tape. Since these mailboxes contain so many emails, there are most likely emails in the mailbox that are required to keep for many years or decades because of other laws besides GDPR. If you would change the backup, you would normally delete the timestamp of these emails as well. With the effect that you would „change“ these other emails also, even though its content would still be the same.

Conclusion: Being prepared for GDPR regarding Emails and Email backups is not an easy but more a tricky task.

Now should be the time for companies implementing a highly integrated solution like for example at least an email archiving system which is able to process, store and backup all data under one hood. And when required also  are able to securely delete it when needed. Using such a specialized archive solution might be the best way for being compliant with GDPR in the future. A more advanced solution which combines many more modern business management and processing tools like CRM, enterprise CMS and more is best solution to be save against huge fines.