FAQ - Baseline GDPR Toolbox

It is an IT Relation solution that ensures that GDPR data in emails and files are identified and handled. The solution automatically scans GDPR data for the individual employee and makes it easy and clear to handle GDPR data.

Baseline GDPR Toolbox basically scans the Microsoft 365 applications Exchange (mails and attachments), OneDrive and SharePoint and Teams sites (SharePoint sites).

Exchange Online Archive:
The Exchange Online Archive in Microsoft 365 is NOT scanned.
Feel free to contact gdprtoolbox@mening.dk for info about this.

Some people should not be scanned for GDPR data:

• Union Representative - It is not allowed to scan emails for a union representative unless you have the person's written permission. Therefore, you must either have it or fail to mark a trust representative for scanning (See where you mark users for scanning in Appendix A).

• Leave, maternity leave or long-term sick leave - You must be aware that users on leave, maternity leave or long-term sick leave do not look at the notification reports that are sent out. This means that they can potentially have their GDPR emails deleted without having assessed them*. Therefore, they may not need to be marked for scanning or removed from the scan list. You can change your decision by notifying gdprtoolbox@itrelation.dk

Note: Your company chooses whether Automatic Deletion of GDPR related mails / documents should be activated.

• E-mails and documents that have been omitted by the company (eg HR folders)
• Folders named "Private" in Outlook and OneDrive
• "Deleted record" in Outlook. We recommend instead that a delete policy should be created on the folder

The solution scans according to a wide range of criteria. The criteria are composed on the basis of the Danish Data Protection Agency's guidelines for what GDPR-related content is:

• Sensitive personal information
  • Health information
  • Trade union membership
  • Ethnic and religious beliefs
  • Sexual orientation
• General personal information
  • PII-pictures (Personal Identifiable Information)
  • Travel information
• Confidential personal information​
  • CPR & +20 European countries national ID
  • Danish driver's license & +20 European countries Danish Passport & +20 European countries
  • Written warnings
  • Annual accounts
  • Salary / Loans
  • Application / Job offer / CV
  • Commissions / Bonus Agreements
  • Termination
• Criminal offenses
  • Criminal record
  • Offenses, fines, convictions

The solution is constantly scanning for new GDPR data.

Users receive a new notification email every month, but it is always possible to use the link in the notification email to go in and get the current image.

The individual user has the following options for handling GDPR data:

• Marking as "Not GDPR" on datasets (e-mail and documents) that are not related to GDPR data anyway. The dataset marked "Not GDPR" will not appear in the future notification report
• Marking as "Private" on datasets (e-mails and documents) that are related to the user as a private person. The dataset marked "Private" will not appear in the future notification report.
• Marking as "Dispensation" on the dataset (e-mail and documents), after which there is a need to continue to keep the information.
• Marking as "Delete now" on the dataset (e-mail and documents) that must be deleted now (the deletion takes place by a run that is made within 24 hours).
• Visualization of the process on which the Baseline GDPR Toolbox is based on. If you have made customer-specific changes, this can have an impact on the process.
   

The data set that is not handled, cf. the above options, will be deleted automatically after 2½ months.

Note: Your company chooses whether Automatic Deletion of GDPR related mails / documents should be activated.

The individual user receives an e-mail with a link to the Baseline GDPR Toolbox. Via the link, the individual user gets access to GDPR data related to the user's e-mails and documents.

Notification e-mails are sent once a month, but the link works all the time and the content is updated regularly. Therefore, the individual user  does not have to wait until next month to review GDPR data.

At start-up, notification emails are sent separately for mail, sharepoint, onedrive, etc.
but it is possible to gather several sources in the same advisory email.

Note: Your company chooses whether Automatic Deletion of GDPR related mails / documents should be activated.

Insight search on defined person (name / civil registration number) can be done via itm8.

For help with this, write an e-mail to gdprtoolbox@mening.dk.

The established procedure for this is subsequently followed in collaboration with your contact person responsible for GDPR Toolbox.

Datasets (documents and emails) placed in Private folders or items marked with "private" (regardless of uppercase and lowercase letters) are not included in the Notification Report and are not included in the Baseline GDPR Toolbox reporting.

If an employee marks data with "Private" in the Notification Report, it counts in the Baseline GDPR Toolbox reporting, but will in future be removed from the notification report.

Explanation:

• Items in the Private folder or with 'private' in the subject line, the employee is responsible for storing properly.
• Items tagged as 'private' are not initially identified as a private item and therefore it is the company's responsibility to keep it safe.

Data must be at least 3 months old and contain one or more GDPR words to appear in the notification report.

When a Mailbox / OneDrive folder is scanned, the notification email is sent to the owner of this Mailbox / OneDrive and it is the owner who can use the link to the notification report and process any. GDPR items on the list.

When a Shared Mailbox is scanned, the notification email is sent to the shared mailbox and it’s the people who have access to the shared mailbox who can use the link to the notification report and process GDPR items on the list.

It is not possible to change the recipient of a notification email for a shared mailbox in the Baseline GDPR Toolbox to e.g. a person.

If you want to change the recipient of the notification email, this can be done via Microsoft 365 and the use of "Rules" in Exchange / Outlook.

Baseline GDPR Toolbox sends emails from gdprtoolbox@mening.dk or gdprtoolbox@itrelation.dk and emails from here can then be forwarded to one or more recipients. These recipients can use the link to the notification report and manage the GDPR elements from here.

If a recipient does not have the right to the shared mailbox in question, it will not be possible to use the link in the notification report for the individual element.

for handling GDPR elements on existing SharePoint sites - this is done via the Baseline GDPR Toolbox onboarding procedure, where it is also possible to specify which sites may need to be omitted.

The person in charge receives the notification email and can use the link to the notification report and process GDPR items on the list.

When new SharePoint sites are created in Microsoft 365, the notification email will by default be sent to the owner of the individual SharePoint Site and the owner can use the link to the notification report and process GDPR elements in the list. It is not necessarily the right recipient, and it is possible to write to us (gdprtoolbox@mening.dk) to have it corrected.

If an owner of the individual SharePoint site has not been added to Microsoft 365, the site will be without an owner - an overview of owners of SharePoint sites can be seen via the Baseline GDPR Toolbox reporting on the customer portal.

Determination of responsible person in SharePoint takes place at Site level.

Baseline GDPR Toolbox cannot issue new notification reports with links to individuals.

We can send out a new notification report to everyone in the company

Otherwise he / she has to wait for the next automatic broadcast on the 7th of next month

1 user = 1 O365 account

This means that both personal and shared mailboxes count as one user each.

In return, we scan Sharepoint without counting it in the number of users.

We make a count approx. d. 20. in each month and this forms the basis for per. uses the settlement every month.

When we need to check if a specific user has GDPR data or if an email is categorized correctly or ....

It will be faster and easier for everyone if we have as much information as possible about the user / email in question

That is, we want to know:

• email address 

If it is a specific email we would like to know:

• To
• From
• Subject field (if you have it - or as much as possible)
• Date and time

It facilitates our search

You must enter a default email address.

If you do NOT write anything in the GDPR responsible for a given folder, then the default mail address will receive the GDPR notification report.

If you enter an email address, that email address will receive the GDPR notification report.

Notification report are sent out monthly just like for emails.

The following is a temporary solution to the task of adding / removing users from the GDPR scan.

In an upcoming release of the Baseline GDPR Toolbox, it will be possible to automate the addition / deletion of users so that it follows the normal IT Relation procedure for new / removed users.

If you want to add or remove users from the GDPR Toolbox scan, write to

gdprtoolbox@itrelation.dk

and specify email addresses and whether users should be added / removed.

If there are many users, it may be easier with a spreadsheet. Let's have a talk about it then.

Baseline GDPR Toolbox scans the user's accounts until we are notified to stop and remove the customer scan via email to gdprtoolbox@mening.dk or your IT partner in ITM8.

Every month, a notification email is sent out to users.

The link to the notification report in the mail is the same from time to time, so it is always possible to use that link to get in and check its current status.

You can save it in your browser and use it every time you go in and check your GDPR status. Also in the middle of the month.

Every month we send out notification emails to those users who have potentially GDPR sensitive emails.

It is important to note where mail is sent from, as hackers can also send emails out to fish for data.

If you receive a notification email from Baseline GDPR Toolbox, then the header should look like this:

From: gdprtoolbox@mening.dk <gdprtoolbox@mening.dk>
Sent: Jun 1, 2021 4:03 pm
To: XXXXXXXXX
Subject: Baseline GDPR Toolbox report

You may receive mails from gdprtoolbox@mening.dk or gdprtoolbox@itrelation.dk

Notification email contains a link that leads to a web page with the notification report, where you can see all the emails that potentially contain GDPR data.

This notification email comes from the Baseline GDPR Toolbox.

It is important to inform all users before the first broadcast that an email is coming from the Baseline GDPR Toolbox and that it is ok.

Users are warned again and again (and with good reason) that they do not click on a link in an email from an unknown sender.

There is a risk that users will delete notification emails, because "they have learned that".

Therefore, an internal email must be sent out so that users are informed that the notification email is in order.

Notification is sent out when the company has decided to get started. The e-mail will then be sent out once a month.

Experience shows that the period just around the 1st in a month creates a lot of pressure for both customers and suppliers.

There are time registrations, month-ends and invoicing, so there does not have to be a notification email that you have to correlate to.

Therefore, we move the sending out of the monthly mail to the 7th of the month.

It is always possible to use the link in an old email to access GDPR portal, but the broadcast of mails takes place on the 7th of the month.

Notification e-mail will be received by each user in their personal mailbox. Users who manage shared mailboxes or Sharepoint leaflets included in the GDPR scan, will also receive notification e-mails for these.

Best practice is only by sending out emails to those individuals who have potentially GDPR sensitive data. Therefore, emails are only sent to users who have potentially GDPR sensitive data

Each notification e-mail contains a link to the Baseline GDPR Toolbox server, where it is possible to see which documents potentially contain GDPR data for the individual user.

Link and notification e-mail are the same from time to time, so it can be saved in favourites, so you can always check your GDPR data without having to wait for the next notification e-mail.

Occasionally, GDPR sensitive emails appear in notification reports placed in synchronization folders.

That folder can be difficult to find in Outlook, so here is help to find folders:

Tap the 3 dots below mail folders in Outlook:

Select "Folders" / "Folders"

It is now possible to view synchronization logs with other mail folders

It is removed again by pressing the mail folder again.

Mails that are down here are mails that for one reason or another failed while syncing Outlook.
They can usually be deleted without further inspection.

It is only possible to access the notification report from the deep link that is included in the notification email.

Here is an example of deep link (it has been changed so it does not work, it is only an example)
https://gdprtoolbox02.itrelation.dk/report-dashboard?token=Ip7hY88xxxxxxx4OFiHeInYBAoxxxxxxxhW5pGmPd5hqqorKat2QGvr50XtY RlXc7MngyF.mHQyMBmXCO_cdvRTj8Qs8Czu9SAmiW7Q.Degilu.xxxxxxxxx0a6D 8TXj6l_P0UjRvAYKisydYnCiho_XxxxxxxxVqCpG8tp18dmo-

It is not possible to access the notification report from the parent link, eg https://gdprtoolbox02.itrelation.dk/

As a user, you go in and see GDPR data for either Exchange, SharePoint, OneDrive or Files (Plus customers).

When starting from the top, the GDPR Toolbox does not know what to display.

You get access to your Notification Report using your regular AD login.

When you click on the link in your Notification Email, a browser with a login page opens.

You must select "Sign in with Office 365" and enter your AD login information.

Note: It is NOT possible to log in by pressing Advanced Login.

In this section you can get help on how the notification report works.

The individual user has the following options for handling GDPR data

• Marking as "Not GDPR" on datasets (mail and documents) that are still not related to GDPR data. The dataset marked "Not GDPR" will not appear in the future notification report.
• Marking as "Private" on datasets (emails and documents) that are related to the user as a private person. The dataset marked "Private" will not appear in the future notification report.
• Marking as "Dispensation" on the dataset (mail and documents) on which there is a need to continue to keep the information.
• Marking as "Delete" on the dataset (mail and documents) that must be deleted now (the deletion takes place by a run that is made within a day).

The data set marked with "Not GDRP", "Private" and "Dispensation" is still displayed in the report via the customer portal. See more under the item: Reporting / Customer portal

The next chapters deal with the functionality of the individual elements of the notification report.

NOTE: Customer-specific configuration of the following may be agreed differently for your company.

Your company chooses whether Automatic Deletion of GDPR related mails / documents should be activated.

When an email / document has appeared in a notification email for 2½ months (3 times) because it contains GDPR data, it is deleted automatically if the user has not responded with a tagging. (Dispensation, Non-GDPR, Private, Delete-Now)

This means that an email is a minimum of 5½ months.
It only appears in a notification report when it is 3 months old.

When a customer is put into operation, there may be some old data that needs to be handled and it is not certain that everything has been processed to the start date.

Therefore, "Automatic Deletion" will not be initiated until we are sure that all "backlog" has been processed and the customer has had a reasonable time to check old mails.

When the Baseline GDPR Toolbo automatically initiates deletion, the age of the email applies. Mail must be older than 3 + 2½ = 5½ month.

It is possible to choose which language you want the texts to be on the page.

It is not possible to see GDPR text in several languages, only the standard button texts etc. on the web page

The text above all GDPR e-mails found provides a quick description of what data has been found and what can be done about it.

What you enter in the search field to search for content for all e-mails inserted in the GDPR listen.

The first time you enter the notification report, the two numbers will be the same. There are a total number of GDPR elements and all are displayed.

As the user takes a stand on the various elements and marks them as Private, Not GDPR, Dispensation or deletes them, the number of "Showing" will be reduced to those that are left and which need to be handled.

It is possible to filter your GDPR data so that you only see subsets. You can e.g. choose to see only GDPR data that contains CPR numbers or both "Illness" and "CV" GDPR data.

Each Information occupies a line on the page. It can be an advantage to be able to see as many elements as possible on a page. Therefore, one can hide his filters. It is always possible to unfold them again.

Basically, an item is unread.
But if you have entered the GDPR rapport and looked at a dataset, it is marked as 'read'. It is no longer written in bold.

You can select several items and set them to read / unread at a time. See ‘Multiselect’

It is possible to get a preview of the individual dataset if you press '+'.
Then the individual dataset unfolds and you can see why it was marked as GDPR.
Afterwards you can close it again by pressing '-'

Each individual data can be marked with

• Dispensation
• Non-GDPR
• Private

To select, click on the 3 vertical dots to the right of the item.
This gives you the opportunity to mark which type you want.

See section with "Multi-select options" for how to perform the same thing for multiple items at once.

It is possible to select several items at a time by clicking in the multi-select fields.

If you use multi-select, you can perform the same functionality on several datasets at once.

A 'taskbar' opens at the bottom of the page, where you have the option to select an action:

You can mark all as read / unread and if you click on the 3 vertical dots, you can set whether all selected elements should be marked as Non-GDPR, Private or Dispensation.

There may be more found GDPR data than there can be shown on one page. Therefore, you can go to the next or previous page.

It is possible to choose between displaying 25, 50 or 100 items at a time.

In connection with scanning of all users' data, access is opened for reporting on the company's GDPR status, which takes place via IT Relations' customer portal. It is possible to get an overview of the company's GDPR data (without access to specific GDPR data) and the distribution of the different types of GDPR data.

Distribution of the various found GDPR data:

• Distribution by types
• Distribution over time
• Distribution by users (e-mail addresses)
• Distribution over datasets marked with "Not GDPR", "Private" and "Dispensation"

If you and your users find that there are certain files, file types or anything else that is always captured by the Baseline GDPR Toolbox and which must be marked with "Not GDPR", then you are welcome to contact us for an adjustment of the search filters.

This service is billed separately according to time spent.

It is NOT possible to see the specific datasets, only the type and number and their distribution by user and sources.

ITR Customer Portal: https://kunde.itrelation.dk. Your contact person gets a login to the portal. More users can access, send an e-mail to gdprtoolbox@itrelation.dk in connection with access to more users.

Baseline GDPR Toolbox provides via the customer portal an overview of which SharePoint sites are inclusive and exclusive in the GDPR management.

If multiple SharePoint sites are created with the same name in Microsoft 365, then the respective SharePoint sites will also be with the same name in the Baseline GDPR Toolbox reporting.

Baseline GDPR Toolbox reporting provides an overview of who is responsible for GDPR management on the individual SharePoint sites.