There is a ton of information about paperwork needs to be done to comply with GDPR. Here we would answer the question: «What technically should be done at your mail server to meet requirements?»
First of all, let’s qualify what is ‘personal data’ according to the GDPR:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Mail server naturally keeps a lot of ‘personal data’. And it is not just about mailboxes’ content. Every time when an employee connects to corporate mail using a personal device, the server saves information about the device and IP address which can be linked to geolocation.
Even more, if you have CVs in your mailbox (most probably you have it), then your mail server contain specific personal data:
(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
As a result, even if you are not collecting personal data purposely, just by operating in B2B segment you accumulate ‘personal data’ and need to follow GDPR.
So, what technical actions need to be taken to meet the GDPR? The law gives very general requirements:
Article 32 Safety of processing
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
We recommend are the following:
- Encryption whenever it is possible as GDPR requires organizations that keep or process personally identifiable information to protect data by design
- Encryption for Exchange drives using BitLocker Drive Encryption
- Hardware encryption on storages where Exchange drives are placed, if Exchange is virtualized. Most of the vendors have this feature supported.
- Use Host Guardian Service (HGS) to protect access to the Exchange virtual machines. It prevents unauthorized access to shielded Exchange VM and protects from coping VHD.
- You must have backups and a disaster recovery plan(s). Periodically test consistency and recoverability of backup.
- For secure email transport as minimum STARTTLS must be configured on your server(s) and very recommended to configure DNS-based Authentication of Named Entities (DANE) based on DNSSEC technology
- Critical updates must be tested and installed in time to prevent potential security breaches
- Implement deleted item retention policy
- Configure Data Loss Prevention (DLP) rules to scan and report email containing personal information that could fall under GDPR rules.
- Prepare a custom script for your exchange version to manage shared mailbox and individual public folder items to delete user-defined data.
- Consider migration to the cloud. Оn-premises solutions are more flexible, but it is also more complicated, without outscoring partner it may be difficult to comply with GDPR rules.