General Data Protection Regulation (GDPR): Configuring Mimecast

Document created by user.oxriBaJeN4 Employee on Jan 17, 2018Last modified by user.oxriBaJeN4 Employee on Feb 13, 2018
Version 7Show Document
  • View in full screen mode

Mimecast provides tools to help you meet your General Data Protection Regulation (GDPR) compliance objectives. These objectives include:

  • Responding to subject access requests.
  • Conforming to the right to erasure.
  • Data portability.
  • Effective data retention strategies to ensure data is kept only for the minimum amount of time required.
The functionality covered below may not be part of your Mimecast subscription. Contact your Account Manager if you'd like information about available upgrades.

Effective Data Retention

 

You can manage retention settings in the following ways, dependent on the Mimecast product you’ve purchased. There are three key options available to you when planning your default retention options:

  • Maximum retention
  • Policy based retention
  • Content based retention

 

Maximum Retention

 

This is set and confirmed by customers when their Mimecast account is created, and serves as the maximum retention setting allowed. When no other retention policies apply to an email, the maximum retention setting is applied. You can:

  • See the Maximum Retention Settings - Technical Concepts page for further details.
  • View your current maximum retention setting by either logging on to the Administration Console and:
    • Navigating to your Account Settings, and expand the Account Settings section. Your maximum retention period is displayed in the Maximum Retention (Days) option.
    • Clicking on your Account Profile Icon, and clicking on the Account and Support Details menu item. Your maximum retention period is displayed in the Retention field.

 

Policy Based Retention

 

You can use a Content Preservation Policy to set different retention schedules for individual users, domains, groups of users or domains, and even by Active Directory attributes. Policy based retention settings override the maximum retention setting mentioned above, and can only be set to a value lower than the maximum.

Here is an example:

 

Retention RequirementsAll email is retained for 10 years, except for job application emails sent to your internal recruitment team. Your policy dictates these are only retained for six months from the date of receipt.
Configuration RequirementsYour maximum account retention is set to 10 years. Configure a Content Preservation policy with the following values:
ResultAll emails sent to recruitment@yourdomain.com have a 180 day retention setting applied.

 

Content Based Retention

 

You can use Content Examination Definitions and Policies to set different retention schedules where an email contains specific content. These policies can be set for emails sent to individual users, domains, groups of users / domains, or by Active Directory attributes. Content based retention settings override the maximum retention setting mentioned above, and can only be set to a value lower than the maximum.

Here is an example:

 

Retention RequirementsAll email is retained for 10 years, except for emails containing a credit card number and a date of birth. Your policy dictates these emails containing certain Personally Identifiable Information (PII) are only retained for 30 days from the date of receipt. See the Content Examination Definitions: Using Entities for further details.
Configuration RequirementsYour maximum account retention is set to 10 years. Configure a Content Examination definition and policy with the following details:
  • In the definition, check the email body for the ”credit card” entity within 50 characters of the ”date of birth” entity.
  • In the policy set:
    • FROM: Everyone
    • TO: Internal
    • BIDIRECTIONAL: Enable this for it to apply to all email inbound and outbound.
    • VALUE: 30 days
ResultAll emails containing a credit card number and a date of birth have a 30 day retention setting applied.
All retention policies apply to email as they enter the archive. If you wish to adjust the retention of existing emails as a one off process, you can do so using retention adjustments.

Subject Access Requests (SARs)

 

On receiving a Subject Access Request (SAR), ensure you've enough information to construct the appropriate search to locate the relevant data. Once you have, follow one of the processes:

 

Scenario One - Simple SAR

 

A simple SAR is where you can identify the relevant emails via search. For example, a former job applicant has submitted a SAR. You’ve decided that a search for that person’s name and/or personal email address is sufficient. You can:

  1. Create a Saved Archive Search with the relevant search criteria. See the Saved Archive Searches page for full details.
  2. Export the data from the archive. See the Exporting Archived Messages page for full details.

 

Scenario Two - Advanced SAR

 

For more advanced SARs that cannot be fulfilled via a simple search, you can use additional tools to complete the request. For example, the searches you create may return too many results, causing you to review them to separate the relevant and irrelevant data.

  1. Create a Discovery Case. This allows you to manage multiple searches under one container. You can also add notes and a description to help identify the case. See the eDiscovery Cases page for full details.
  2. Create a Review Stream in the Case Review Application. See the Discovery Cases: Configuring a Review Stream page for full details.
    This isn't available to all customers. See the Archive Case Review App blog post for further details.
  3. Review the Search Results identifying messages as "Relevant" or "Not Relevant" as appropriate. See the Case Review App: Reviewing Messages page for full details.
  4. Export the Review Stream. This applies Smart Tags so the messages to enable you to take further action on the messages. See the Case Review App: Exporting a Review Stream's Messages to Smart Tags page for full details.
  5. Create another Discovery Case to export the Smart Tag messages. See the Discovery Cases: Accessing a Review Stream's Smart Tags page for full details. 

 

You can leave the review and explored results in place as you may need to perform a secondary review or follow up actions (e.g. processing an erasure or portability request).

Don’t close the review stream until you’re sure everything is complete, as doing so is permanent and all historical review activity will be lost.

Right to Erasure


Following on from the SAR, the data subject may ask for data to be deleted. If you agree and need to delete the data, you can do this using Retention Adjustments.

 

In the case of a simple SAR:

  1. Create a Discovery Case.
  2. Add the Saved Archive Searches to the case.
  3. Apply a Retention Adjustment to the case. See the Retention Adjustments page for full details.

 

In the case of an advanced SAR where the data was reviewed in the Case Review app:

  1. Create a Discovery Case.
  2. Create Archive Searches to find the required data based on the export of the Case Review application. For example, create a search for the "Relevant" smart tag for your specific review.
  3. Apply a Retention Adjustment. As a single instance archive, all copies of the data are purged. See the Retention Adjustments page for full details.
    When you purge an email from the archive it is permanently removed from all users.

Data Portability


If you’re required to fulfill a data portability request, this is achieved by exporting the data from the Mimecast platform.

In the case of a simple SAR:

  1. Create a Saved Archive Search with the relevant search criteria.
  2. Export the data from the archive.

 

In the case of the advanced SAR where the data was reviewed in the Case Review application:

  1. Create a Discovery Case.
  2. Create searches to find the required data based on the export of the Case Review application. For example, create a search for the "Relevant" smart tag for your specific review.
  3. Export the data.
1 person found this helpful

Attachments

    Outcomes