Can you be GDPR compliant if you have PSTs?
New on-demand webinar: Can you be GDPR compliant if you have PSTs? A Quadrotech debate.
Picture the scene:
Your HR director, Susan, accidentally leaves their laptop bag in a hotel lobby. In the bag, she has an encrypted laptop with BitLocker protection, a couple of pages of notes from the week’s meetings, and an old USB that’s been in the laptop bag. Unfortunately, the contents of the laptop bag are not recovered, so the evaluation begins – what potential risk of data leakage are we dealing with here? What steps do we need to take?
As the laptop was off, and encrypted, the IT team are able to remotely wipe the contents successfully, leaving no risk of data leakage.
When asked, Susan was confident that none of the notes contained personal data – just indecipherable dates/ times, and ‘to-do’ list type remarks. No risk has been ascertained there.
The USB is not encrypted, it hadn’t been used in about 10 months, and Susan is unclear what exactly was stored on there. She thinks that alongside some ppt presentations, onboarding guides, there was a handful of old PST files, but she can’t remember what might be on them.
This loss poses a high risk of data leakage, and given the job role in question, it is very possible (if not, likely) that the lost files contain personal data.
The question that remains is: What should this company do now, and how could they have avoided this issue?
The risks and limitations of PSTs as a file storage method have long been documented: they’re outdated, vulnerable to corruption, easy to hack into – even if they’re password protected. Many organizations have had PST files scattered across their organization since the 90’s, and this includes offline storage, like local machines, or removable storage.
With advent of GDPR, which came into effect on the 25th May, the PST file format has arguably become even more problematic for organizations. Why? Because it is extremely difficult to know what data is stored in every PST file in your organization, and whether any of it contains personal data and therefore is in scope for GDPR.
This debate-style webinar explores this question in depth, considering the implications that just one stray PST could have on your data protection efforts, and compliance with GDPR.