GDPR Responder for Microsoft Office 365

Simplify GDPR data privacy requests for email communications

GDPR Responder: A Powerful Tool for Data Protection Officers

GDPR Responder, by Dropsuite, helps businesses meet their international data privacy and data protection requirements by helping to safeguard, store, discover, export and delete data; empowering Data Protection Officer’s to easily fulfill time-sensitive compliance requests by allowing them to define who can access particular types of data across the organization to control access, as well as how that data can be managed.

Firms across the world who use email to communicate with European Union prospects, customers and business partners must comply with GDPR (General Data Protection Regulation) privacy and data access mandates. Failure to do so could cost a firm up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher – a number that could easily cause a company to go out of business. The stakes are high, which is why Dropsuite takes great pride in offering our GDPR Responder solution. With GDPR Responder our customers can effortlessly manage their organizations’ critical email infrastructure according to GDPR regulations to safeguard user information, ensure data availability and maintain business email continuity.

How will you Classify, Discover, Review, Take Action and Report on GDPR requests? The answer: With Dropsuite GDPR Responder.

 

GDPR Compliance for Data Privacy and Security

The GDPR regulations went into effect May 25, 2018 and are actually a series of changes to the original EU regulations published in 1995. There are three major changes to the privacy and information access laws in GDPR that increase the scope and accountability for protecting EU citizen privacy online. Those parts are:

  • Increased Territorial Scope
  • Penalties
  • Consent

The biggest change to the regulatory landscape of data privacy comes with the increased territorial scope of the GDPR, as it now applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.

The penalties have also greatly increased. Under GDPR organizations in breach of GDPR can be fined up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

 

GDPR Standards Applying to Email Backup

For all firms that have the potential to have email communications with EU citizens, there are several parts of the GDPR standards that apply to backup, archiving and recovery of email, website and related data.* When choosing a backup and restore solution, consider how well the solution meets the following regulations.

Breach Notification

Breach notification is mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Accurate records must be kept of all email communications to find and notify any user that may have been impacted.

Right to Access

Data subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.

Right to be Forgotten

Data subjects may have the data controller erase his/her personal data, cease further dissemination of the data, and have 3rd parties halt processing of the data. The conditions include the data no longer being relevant to original purposes, or data subjects withdrawing consent.

Data Portability

Data subjects can receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.

Privacy by Design

Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. ‘The controller shall implement appropriate technical and organizational measures to meet the requirements of this Regulation and protect the rights of data subjects’.

Data Protection Officers

DPOs will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.

Based on the above regulations, it becomes clear that maintaining accurate copies of all email communications and related data between a firm and any EU citizens is essential. This means even keeping records of emails and related data that may have been deleted by users.

That’s why Dropsuite Responder focuses on preservation, maintenance and the ability to apply advanced search to backed up and archived emails, attachments and related data. We are proud to provide our customers with GDPR compliant solutions for email and related data backup, archiving and recovery.

GDPR is serious business; as several large fines have been issued by the EU’s Information Commissioner’s Office (ICO). In July 2019, the ICO announced it fined British Airways $230 million in connection with a significant 2018 data breach. Marriott International was fined $123 million after a November 2018 data breach that exposed personal data contained in approximately 339 million customer records, of which 30 million were residents of the European Economic Area (EEA).

Dropsuite empowers the Data Protection Officer with the ability to navigate the grey areas where GDPR compliance meets businesses compliance — will tools to ensure easy management of regulated compliance responsibilities pertaining to archived business communications, attachments and email.

GDPR Responder Utility Includes:

  • Data Protection Officer (DPO): Assign role, review GDPR requests, review/flag/export/delete data, and explain why data can/
    cannot be deleted
  • Delegated access permissions: Assign and delegate internal/external access permissions for GDPR discovery/review for auditors
  • Right to be forgotten: Export a copy of found data under GDPR Article 15-1 for the requester or delete the data under GDPR
    article 17-1 that does not conflict with business regulations
  • Message level retention and legal hold: Add retentions from 6 months to indefinitely on individual or bulk messages, add legal
    holds for indefinite periods on individual or bulk messages
  • Compatibility: Compatible with Microsoft Exchange Online, Hosted Exchange and G Suite Gmail

“GDPR enforceability is starting to catch momentum, yet surprisingly, many organizations are still playing the waiting game with regard to implementing GDPR compliance utilities,” said Ryan Nichols, head of product for Dropsuite. “Email ecosystems such as Exchange Online for Office 365 are critical data systems covered under GDPR regulations that require specialized tools to make it easier for administrators to fulfill compliance-related tasks. Doing nothing, or not doing enough, exposes organizations to any number of risks that frankly don’t need to be taken since tools like Dropsuite GDPR Responder for Email Archiving are readily available.”

* Source: EUGDPR.org “GDPR Key Changes”

 

GDPR Compliance Use Cases

Email Backup and Archiving

GDPR regulatory compliance can be met with email backup and archiving. Email backup and archiving must provide the ability to permanently keep accurate records of all communications and related data with EU citizens – even if an employee accidently deletes the original emails. The system must also include advanced search, to make it easy and fast to find any and all communications or data collected from an EU citizen, and provide that information back to the Data Subject when requested. Email archiving provides the ability to quickly find any and all Data Subjects that may have been impacted by a breach. Using a secure cloud-based solution with military-grade encryption further ensures data is protected and safe.

GDPR Compliance and Data Protection

Dropsuite provides GDPR Responder, a solution of compliant email backup and archiving specifically designed to provide continuous availability of email communications in the cloud. Our solution includes easy-to-use, secure and scalable tools to manage them, especially for firms using cloud-based solutions like O365 and others.

GDPR Protection in the Cloud

An email backup and archiving solution assures that your records are systematically stored in a central cloud data repository with state-of-the- art security and advanced search features in place to guard against data loss, and quickly comply with any data access requests. Dropsuite GDPR Responder was tailored-made for the rigid security requirements that customers demand from a cloud partner.
“We selected Dropsuite because they are GDPR compliant with proactive cloud backup solutions that can protect organizations from data loss threats or regulatory risks.”
Sandis Kolomenskis's Dropsuite Testimonial
Sadis Kolomenskis
CEO of Squalio Group