The Challenge
In every business relationship, there is an exchange of e-mails and documents containing personally identifiable information(PII), such as medical and financial data. Data protection directives existed long before the adoption of GDPR in April 2016, but the new provisions set a quite high standard for companies within the EU. In this everchanging landscape, organizations need specialists, tools and frequent policy changes to stay up to date and achieve GDPR compliance.
Every person has the right to request information regarding the recipients, processes, purposes and period of time for which their personal data are processed. Therefore, companies are responsible for properly and lawfully handling sensitive personal data like medical information, payroll information, and CVs. Any forwards or printing of e-mails of such content should be recorded, and the amount of time for which the e-mails are available to users should be limited according to each company’s policy.
It becomes clear that in cases of large companies -including those of the shipping sector-, it is almost impossible to have always available all the information needed. A basic e-mail user couldn’t possibly delete every e-mail after a certain amount of time, or know definitely who read, forwarded or printed it.
The Solution
Microsoft provides several tools aiming to help with this issue, but the issue’s complexity creates needs and requirements that the tools can’t fully meet. Fortunately, we found a way to address these specific needs.
Microsoft tools operate as an afterward control over the handling of sensitive information. The user, usually a Data Protection Officer (DPO), has the ability to search for specific keywords or patterns to find potentially sensitive data. Consequently, the data are marked and the DPO defines when they will be deleted, taking into consideration the company’s policy.
In contrast to Microsoft’s a posteriori automatism, our Astris GDPR Console provides users with the functionality of managing both in advance and afterwards. The moment an e-mail containing sensitive data is received, the user tags it accordingly. After the e-mail is marked, all its activity is monitored, and retention policies are applied. PII policies are set by the administrator and can be modified as often as required. After the specified amount of time passes, the e-mail is soft-deleted, meaning that it’s deleted from Exchange Mailboxes and becomes unavailable to all users. At this point, the DPO still has access to review it anddecide whether to reinstate or purge it.
Even after purging the email, the database entries remain available and accessible to the DPO through Astris GDPR Console, providing full auditability throughout.
All in all, the Astris GDPR module is a valuable tool for companies dealing with e-mails and documents containing sensitive data.
Interesting Facts
According to the International Association of Privacy Professionals:
- 58% of European companies declared GDPR compliance as a top priority.
- The most difficult GDPR obligation for companies in 2019 was the fulfillment of the right to be forgotten.
- 69% of registered DPOs from the EU holds the top privacy role for their firm. They often have direct reporting lines to the board of directors, as well.