This article details the tools Mimecast provides to to meet General Data Protection Regulation (GDPR) compliance objectives. It is intended for Administrators.
Overview
Mimecast provides tools to help you meet your General Data Protection Regulation (GDPR) compliance objectives. These objectives include:
- Responding to subject access requests.
- Conforming to the right to erasure.
- Data portability.
- Effective data retention strategies ensure data is kept only for the minimum time required.
The functionality covered below may not be part of your Mimecast subscription. Contact your Account Manager if you'd like information about available upgrades.
Effective Data Retention
You can manage retention settings in the following ways, dependent on the Mimecast product you've purchased. There are three key options available to you when planning your default retention options:
- Maximum retention.
- Policy-based retention.
Maximum Retention
Maximum Retention is set and confirmed by customers when their Mimecast account is created and serves as the Maximum Retention setting allowed. When no other retention policies apply to an email, the Maximum Retention setting is used. See the Maximum Retention Settings – Technical Concepts page for further details.
You can view your Maximum Retention setting by either:
- View the Maximum Retention (Days) option in your Account Settings. See the Your Mimecast Account Settings page for further details.
- Select the Account and Support Details menu item from your Account Profile icon. See the Administration Console User Interface page for further details.
Policy-Based Retention
You can use a Content Preservation policy to set different retention schedules for Individual Users, Domains, Groups of Users or Domains, and even by Active Directory attributes. Policy-based retention settings override the maximum retention setting mentioned above and can only be set to a value lower than the maximum. See the Configuring Content Preservation (Days / Minutes) Policies page for further details.
Here is an example:
| Field / Option | Description |
|---|---|
| Retention Requirements | All emails are retained for ten years, except job application emails sent to your internal recruitment team. Your policy dictates these are only kept for six months from the date of receipt. |
| Configuration Requirements | Days resultant-Based Retention. |
Content Examination Policies can set different retention schedules where an email contains specific content. These policies can be set for emails sent to Individual Users, Domains, Groups of Users / Domains, or Active Directory attributes. Content-based Retention settings override the Maximum Retention Setting mentioned above and can only be set to a value lower than the maximum. See the Configuring Content Examination page for further details.
Here is an example:
| Field / Option | Description |
|---|---|
| Retention Requirements | All email is retained for ten years, except for emails containing a credit card number and a date of birth. Your policy dictates these emails containing certain Personally Identifiable Information (PII) are only retained for 30 days from the date of receipt. See the Content Examination Definitions - Entities page for further details. |
| Configuration Requirements | Your maximum account retention is set to 10 years. Configure a Content Examination definition and policy with the following details:
|
| Result | All emails containing a credit card number and a date of birth have 30-day retention. |
All retention policies apply to email as they enter the archive. If you wish to adjust the retention of existing emails as a one-off process, you can do so using retention adjustments.
Subject Access Requests (SARs)
On receiving a Subject Access Request (SAR), ensure you've got enough information to construct the appropriate search to locate the relevant data. Once you have, follow one of the processes:
Scenario One - Simple SAR
A simple SAR is where you can identify the relevant emails via search. For example, a former job applicant has submitted a SAR. You've decided that searching for that person's name and personal email address is sufficient. You can:
- Create a Saved Archive Search with the relevant search criteria. See the Saved Archive Searches page for full details.
- Export the data from the archive. See the Exporting Archived Message Data page for full details.
Scenario Two - Advanced SAR
You can use additional tools to complete the request for more advanced SARs that cannot be fulfilled via a simple search. For example, the searches you create may return too many results, causing you to review them to separate the relevant and irrelevant data.
- Create a Discovery Case. Allowing you to manage multiple searches under one container. You can also add notes and a description to help identify the case. See the Managing eDiscovery Cases page for full details.
- Create a Review Stream. See the eDiscovery - Configuring a Review Stream page for full details.
- Review the Search Results identifying messages as "Relevant" or "Not Relevant" as appropriate.
See eDiscovery Reviewer - Reviewing Messages page for full details.
- Export the Review Stream. This applies to Smart Tags, so the messages enable you to take further action on the messages.
See The Reviewer - Exporting a Review Stream page for full details.
- Create another Discovery Case to export the Smart Tag messages. See the eDiscovery - Accessing A Review Stream's Smart Tags page for full details.
You can leave the review and explored results in place as you may need to perform a secondary review or follow-up actions (e.g., processing an erasure or portability request).
Don't close the review stream until you're sure everything is complete, as doing so is permanent, and all historical review activity will be lost.
Right to Erasure
Following on from the SAR, the data subject may ask for data to be deleted. If you agree and need to delete the data, you can do this using the Retention Adjustment feature.
In the case of a simple SAR:
- First, create a Discovery Case.
- Next, add the Saved Archive Searches to the case.
- Then, apply a Retention Adjustment to the case. See the Retention Adjustments page for full details.
In the case of an advanced SAR, where the data was reviewed in Case Review:
- First, create a Discovery Case.
- Next, create Archive Searches to find the required data based on the export of Case Review. For example, create a search for the "Relevant" Smart Tag for your specific review.
- Finally, apply a Retention Adjustment. As a single instance archive, all copies of the data are purged. See the Retention Adjustments page for full details.
When you purge an email from the archive, it is permanently removed from all users.
Data Portability
If you're required to fulfill a data portability request, this is achieved by exporting the data from the Mimecast platform.
In the case of a simple SAR:
- First, create a Saved Archive Search with the relevant search criteria.
- Then, Export the data from the archive.
In the case of the advanced SAR, where the data was reviewed in Case Review:
- First, create an eDiscovery Case.
- Then, create Searches to find the required data based on the export of the Reviewer Application. For example, create a search for the "Relevant" Smart Tag for your specific review.
- Finally, Export the data.
Comments
Please sign in to leave a comment.