Astris GDPR module: A valuable tool for GDPR compliance

08 Apr 2021

The Challenge

In every business relationship, there is an exchange of e-mails and documents containing personally identifiable information(PII), such as medical and financial data. Data protection directives existed long before the adoption of GDPR in April 2016, but the new provisions set a quite high standard for companies within the EU. In this everchanging landscape, organizations need specialists, tools and frequent policy changes to stay up to date and achieve GDPR compliance.

Every person has the right to request information regarding the recipients, processes, purposes and period of time for which their personal data are processed. Therefore, companies are responsible for properly and lawfully handling sensitive personal data like medical information, payroll information, and CVs. Any forwards or printing of e-mails of such content should be recorded, and the amount of time for which the e-mails are available to users should be limited according to each company’s policy.

It becomes clear that in cases of large companies -including those of the shipping sector-, it is almost impossible to have always available all the information needed. A basic e-mail user couldn’t possibly delete every e-mail after a certain amount of time, or know definitely who read, forwarded or printed it.

The Solution

Microsoft provides several tools aiming to help with this issue, but the issue’s complexity creates needs and requirements that the tools can’t fully meet. Fortunately, we found a way to address these specific needs.

Microsoft tools operate as an afterward control over the handling of sensitive information. The user, usually a Data Protection Officer (DPO), has the ability to search for specific keywords or patterns to find potentially sensitive data. Consequently, the data are marked and the DPO defines when they will be deleted, taking into consideration the company’s policy.

In contrast to Microsoft’s a posteriori automatism, our Astris GDPR Console provides users with the functionality of managing both in advance and afterwards. The moment an e-mail containing sensitive data is received, the user tags it accordingly. After the e-mail is marked, all its activity is monitored, and retention policies are applied. PII policies are set by the administrator and can be modified as often as required. After the specified amount of time passes, the e-mail is soft-deleted, meaning that it’s deleted from Exchange Mailboxes and becomes unavailable to all users. At this point, the DPO still has access to review it anddecide whether to reinstate or purge it.

Even after purging the email, the database entries remain available and accessible to the DPO through Astris GDPR Console, providing full auditability throughout.

All in all, the Astris GDPR module is a valuable tool for companies dealing with e-mails and documents containing sensitive data.

Interesting Facts

According to the International Association of Privacy Professionals:

58% of European companies declared GDPR compliance as a top priority.
The most difficult GDPR obligation for companies in 2019 was the fulfillment of the right to be forgotten.
69% of registered DPOs from the EU holds the top privacy role for their firm. They often have direct reporting lines to the board of directors, as well.

Summary

GDPR changes are challenging for companies, especially regarding e-mails containing PII (medical, financial, CVs).
Microsoft provides tools for auditing sensitive data, but several needs are not met.
With Astris GDPR module, companies are able to audit e-mails and documents since the moment they are received, providing full auditability throughout and ensuing GDPR compliance.

Benefits

Astris GDPR module leverages human intelligence as well as automatisms
E-mails and documents are monitored by the time they are marked as sensitive.
Two-step deletion secures overall effectiveness and decrease in mistakes.
Database entries remain available in case they are needed, without compromising compliance.

Technology

Microsoft Outlook
Microsoft Exchange Server
Office 365
Astris TeamWare Suite

A unique way to manage your emails using Outlook 365

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google Analytics. Used to distinguish users.
_ga_6WEVNQKC0X	2 years	Google Analytics. Used to persist session state.
_gid	24 hours	Google Analytics. Used to distinguish users.