|Re: Kerio Connect and GDPR [message #139716 is a reply to message #139670]
||Tue, 08 May 2018 14:22
Registered: August 2013
bm wrote on Fri, 04 May 2018 16:57|
Maerad wrote on Fri, 04 May 2018 11:41
And yes, Kerio Connect is from our perspective GDPR compatible, it just depends on how you use it.
Good for your organisation.
From my point of view is Kerio huge problem for GDPR related processes and thats a reason why we moved critical part of our business to Microsoft 365 cloud.
Kerio is dead. It's sad...
Honestly, without giving any reason for that, it's hard to take you seriously. Please elaborate, what kind of features are missing or problematic, so that kerio - as a mailserver - can't be GDPR compatible.
On the documentation side, it's clear where the mails are gone and how they were handled afterwards. IMHO MS 356 is more problematic, because it's a cloud provider. Kerio Connect - in most cases - is hosted locally.
IMHO it's more important HOW you use it and how you organize your workflows, to allow something like the right to delete the data from a person, if requested.
Someone already said e.g. that in this case, you need to delete ALL mails of the specific user and for that need to search all mails ever going tru the mailserver. THIS is actually a break of the GDPR, because you could see or select mails you're not allowed to index.
Just how we do this part... we import the mails in our ERP System and delete it from the server. This way, we can be sure there is no other mail in the mail server and only in our ERP System. Here we can delete/anonymize them accordingly.
Also we use Kerio Archive with our DMS System Docuware for legal reasons. This is allowed and needed, if you are bound by law to archive the documents etc.
The GDPR is NOT about deleting data, it's about transparency and more control for the person whose data is used.
And I can only say it a hundred times - don't overdo it! The law itself is flawed and unclear in many aspects. It will need some time and official responses/clarifications/sentences what you need to do and what not. You need to show that you MADE something and are honoring the new law. You can't make it perfect, because nobody knows what really is needed in some cases.
The most important things right now are:
- Get an internal or external data protection officer/company
- Update/add a data protection information on your website with all the tools etc. you use, how you trade/work with the data and how long its saved
- Add a second data protection information on the website for your mail signature to inform the ppl how you process, save, use etc. the data in your company (ERP System, Archive time etc.) and tell them about the deletion/information rights they have
- Do a security assessment, deploy some changes to the most extreme problems (like a address list accessible for all users) and document it.
- Make the contracts with external companies you're sharing data with (ERP System support, cloud services if they are used with personal data...)
- Let the employees sign a the data protection / handling form
For Kerio itself - if the access to Kerio is secured and the backups are not accessible trough the network (only for the admin), this would be enough for now. You don't need to encrypt everything like a madman. If the access is secured in a way it only can be used for administrative work, you've done enough - at least for now.
Don't forget that there is much FUD going on and many want to sell you additional services you won't need.
[Updated on: Tue, 08 May 2018 14:26]
Report message to a moderator