Compliance with the Requirements of GDPdU

  • 826 views
Uploaded on

This white paper examines the different methods for deploying and managing an email archive solution in an organization and specifies the key requirements that a full featured email archiving system …

This white paper examines the different methods for deploying and managing an email archive solution in an organization and specifies the key requirements that a full featured email archiving system should include.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
826
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
18
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. GFI Software | www.gfi.com WhitePaper Compliance with the Requirements of GDPdU using the Software GFI MailArchiver 6 for Exchange compiled in cooperation withAugust 09
  • 2. A. Introduction ................................................. 2 According to this regulation, all e-mails with tax-B. Legal principles........................................... 3 relevant content are to be electronically retainedC. Technical and organisational for the duration of the statutory retention period requirements ............................................... 4 and must be made available on request of the I. Electronic evaluation ............................ 4 fiscal authorities. II. Completeness and unalterability ......... 5 III. Secure and traceable data processing Specific requirements regarding nature, format and and data storage.................................... 5 processability of electronically retained e-mails IV. Adequate data accessibility ................. 5 must be satisfied. V. Assignment capability of e-mails and An arbitrary storage in individual mailboxes of related business transactions.............. 6 personnel or a printout of tax-relevant e-mails are VI. Provision of adequate process documentation....................................... 6 now insufficient. VII. Data protection requirements .............. 6 Companies that have not adjusted their financialD. Risks............................................................. 6 accounting to the new statutory requirements ofE. GFI MailArchiver 6 Checklist ..................... 9 GDPdU may be subject to substantial sanctions in their next tax audit. Exceptionally severe violationsA. Introduction may result in an estimation of the tax basis as wellWe can no longer imagine conducting busi- as penalty payments and a fine on arrears that canness without e-mail. Today entire transactions amount to EUR 250,000.are conducted based on e-mail exchanges. Electronic archiving systems offer a complianceAs e-mails often serve as business letters and solution to the high demands of e-mail retention.so-called “commercial letters“ and are also Note, however, that a solely technical solution bysignificant for taxation, specific requirements itself does not lead to compliance.regarding processing and retention of these e-mails are imposed. Compliance with retention requirements can be achieved only through technical solutions inThe German Tax Code (§ 147 AO) controls combination with coordinated procedures andthe requirements for tax-relevant e-mails. processes.Pursuant to the Tax Code, tax-relevant e-mailsmust be retained for either six or ten years. It is a prevalent misapprehension that a “certified“ system by itself suffices to comply with the variousIn addition, a detailed statutory regulatory requirements. That is simply not true.requirement on data access of the Germanfiscal authority called GDPdU (broadly Many software producers leave their customerstranslated as “Generally Accepted Principles unaware of the true extent of complianceof Data Access and Auditability of Digital requirements and may conceal that in addition toDocuments“) has been in effect in Germany simple storage, organisational procedures infor several years. connection with the filing structure for e-mails and 2
  • 3. attachments as well as prompt retrieval must Documents subject to retention obligations arebe implemented. e. g.:GFI Software strikes a new path. In addition to accounting vouchers, account books anda certification issued by a German commercial lettersaccountancy of the e-mail archiving software physical documents in hard copy (e. g.GFI MailArchiver 6 concerning compliance incoming commercial letters or manuallywith GDPdU, GFI Software offers a generated accounting vouchers and othercomprehensive solution. In addition to the vouchers)proven technical archiving solution, support for procedure documentation and user manual,the structuring of the necessary organisational documentation of the internal control systemprocedures and processes is provided. (ICS) as well as other documents needed forThis document is designed to provide understanding the financial accountinginformation about the requirements of German E-mails with tax-relevant content also fall into thefiscal authorities and to support, on the basis category of documents with a retention obligationof a pragmatic checklist, the implementation of pursuant to § 147 (1) No. 5 AO.procedures pursuant to statutes. Details of the statutory specifications can beB. Legal principles gathered from different relevant statements,Pursuant to German commercial and fiscal law policies and regulations, including amongst others:(§§ 238, 239, 257 HGB and §§ 145-147 AO) Grundsätze ordnungsmäßiger Buchführungaccount books and other accounting records (GoB, broadly translated as “Generally Accept-can be maintained under certain conditions on ed Principles of Proper Accounting“) inan image carrier or any other data carrier. accordance with §§ 238 et seq., 257 HGB andAccordingly, storage of tax-relevant docu- §§ 147 et seq. AOments on digital data carriers – e. g. in Grundsätze ordnungsmäßiger DV-gestützterelectronic archiving systems – is possible. Buchführungssysteme (GoBS, broadly trans-Electronic archiving is defined as unalterable lated as “Generally Accepted Principles oflong-term storage of documents subject to Computer-Assisted Accounting Systems“),retention obligations on machine-readable issued by the Federal Ministry of Financedata carriers to fulfill the statutory retention (BMF) in a written communication on 7requirements pursuant to § 257 HGB and 147 November 1995AO. 3
  • 4. Grundsätze zum Datenzugriff und zur assignment capability of e-mails and related Prüfbarkeit digitaler Unterlagen (GDPdU), business transactions issued by the BMF in a written communi- provision of adequate process documentation cation on 16 July 2001 data protection requirementsWith an intent to provide details of theserequirements, the Institute of German Public I. Electronic evaluationAuditors (“Institut der Wirtschaftsprüfer in According to GDPdU, electronic evaluation mustDeutschland e.V.“, IDW) published on 11 July be provided. The data sourcing archiving system2006 a statement for proper accounting when must have processing capacities, in a quantitiveapplying electronic archiving, called and qualitative degree, similar to that of the source“Grundsätze ordnungsmäßiger Buchführung system as if the data was still in the productivebeim Einsatz elektronischer Archivierungs- system (broadly paraphrased from the BMFverfahren“ (IDW RS FAIT 3). pronouncement).Additionally, there are data protection During a transfer no changes may occur to therequirements determined by the Federal Data object to be archived or to its ability to beProtection Act (“Bundesdatenschutzgesetz“, evaluated.BDSG). With regard to generic digital documents, it is to beC. Technical and organisational noted whether structural information is present in requirements addition to content that is necessary for electronicRegulations, including pronouncements of the evaluation.German fiscal authorities, do not prescribe any For example, the “header“ of e-mails contains,certain technique for electronic archiving. amongst other information, details about theHowever, there is mutual agreement about sender, recipient and coding and is consideredcertain technical and organisational part of the structural information.requirements related to any system for In addition to the e-mail itself and the structuralelectronic archiving of e-mails: information, e-mail attachments are also of electronic evaluation importance. They are to be taken into completeness and unalterability consideration when the tax relevance of an e-mail is evaluated and should maintain their capability to secure and traceable data processing and be evaluated during the entire archiving process. data storage adequate data accessibility 4
  • 5. II. Completeness and unalterability The complete storage of captured data is to be ensured in a retraceable manner and error-freeAll data must be fully archived. Therefore data saving is to be ensured by suitable plausibilityfrom the source system may not be filtered in controls.any way. To assure information security and data protection,Fiscal authorities attach great importance that the archiving software may allow for read-only datano densification of information occur prior to access in light of separation of functions andacceptance by the archiving system or authorised interest, and as required in interactionsubsequently to acceptance, because a loss with the operating system as well as applied third-of tax-relevant information cannot be party software (e. g. database system).precluded. Thus, encrypted storage as well as encapsulationThe unalterability of archiving objects is to be of the master file is permissable to the extent thatensured during all stages of the archiving the master file can be readably retrieved withoutprocess. The duplicability of the process is to causing a delay in the audit process.be ensured through proper logging. Storage in a data format deviating from the masterThe applied archiving procedures have to be file is not acceptable and may act only as aperformed such that the following supplement to the master file.requirements are fulfilled: parameterisation of all systems of the IV. Adequate data accessibility archiving solution that ensure the capture The applied archiving system must technically of tax-relevant data enable free access to data and documents. loss-free data transfer to the data capture To ensure prompt data access for fiscal authorities system the archiving solution must allow for readability and prompt periodic archiving reproducibility of the archiving objects at any time archiving of data true to the original in both during the entire retention period. imagery and content In order to ensure the retrievability of tax-relevantIII. Secure and traceable data e-mails, the requirements for proper filing must be processing and data storage satisfied. Therefore it is essential that each e-mail is assigned a unique index value.Any subsequent changes to the archivedobjects must be prevented at all levels Moreover the system should dispose of a suitableincluding the operating system, database and method for keyword indexing to map relations onapplication level. data outside the archiving system. This ensures 5
  • 6. that the tax auditor is able to retrace a logical user documentationchain of tax-relevant business transactions technical system documentationincluding the examination of particular data operational documentationobjects. Therein the applicable procedures are to beV. Assignment capability of e-mails determined and verifed. This applies in particular and related business transactions to the controls designated to the respectiveThe assignment of tax-relevant e-mails to procedures.corresponding business transactions is Moreover the process documentation shall containmandatory. This is rather complicated due to technical (e. g. interface definitions to precedingthe characteristics of e-mails. and subsequent systems) and organisationalThe following alternatives are possible: definitions (e. g. point in time and frequency of tax-relevant e-mails with reference to one archiving processes). business transaction VII. Data protection requirements tax-relevant e-mails with reference to Along with the fundamental problem of automated numerous business transactions e-mail qualification, using server-sided archiving in tax-relevant e-mails not in reference to any companies also includes difficulties with regard to business transaction data protection requirements.Fiscal authorities do not provide specific Through server-sided automated archiving of e-operational guidelines on how such an mails, all incoming e-mails are captured beforeassignment is to be made in a reliable they reach the recipient’s individual sphere ofmanner. Insofar the taxpayer is not subject to control on his workstation computer. In this case,any restrictions regarding his choice of private e-mails would also be subject to archiving.procedures. A suitable archiving systemshould nervertheless provide for convenient D. Risksmethods to allow for such an assignment. The risks resulting from a failure to satisfy statutory requirements are numerous. In addition to potentialVI. Provision of adequate process documentation legal consequences, they primarily affect image, profitability and efficiency of the company.The archiving solution must dispose of anadequate process documentation, consisting Material risks are e. g.:of the following components: non-deductibility of input VAT 6
  • 7. sanctions for non-compliance with Loss of evidentiary value regulations Inadequate archiving may result in a loss of loss of evidentiary value evidentiary value and thus result in an indefinite financial risk. data protection violations This is particularly possible if the archived e-mails increased in-house expenses do not remain unaltered and in their original disclosure of sensitive internal information format, as required. For example, businessNon-deductibility of input VAT correspondence between customers and suppliers may represent essential evidence in litigationAs a result of inadequate or incomplete where the content and sequence of events arearchiving of incoming invoices received by the material.company via e-mail in the context oftransmission of electronic invoices (“e-billing“), Data protection violationsthere is a danger of losing the deductability of Violations of data protection requirements areinput VAT. especially possible as a result of insufficientIn this context, the proper archiving of the so- physical and logical access restrictions to materialcalled “validated electronic signature“, data if access to or even manipulations of personalaccompanying an electronic invoice must be data are thereby possible.considered. In Germany, the “Value Added A violation of data protection regulations mayTax Act“ (Umsatzsteuergesetz, UStG) result in substantial monetary fines ranging, in thedemands a validated electronic signature on worst case, from EUR 50,000 as a consequence ofelectronically transmitted invoices in order for violations of procedural rules to EUR 300,000 forthe company receiving the invoice to deduct violations of material data protection regulations.the input VAT. Increased in-house expensesSanctions for non-compliance with The in-house expense of providing prompt andregulations free data access to fiscal authorities must also beViolations of regulations may result in considered.sanctions by fiscal authorities ranging from For example, a subsequent sorting of apenalties and fines on arrears for exeptionally progressive increase of e-mail data may result in asevere violations that can amount to EUR considerable operating expense.250,000 (§ 146 2b AO) and may extend to anestimation of the tax basis. In contrast, proper filing normally results in 7
  • 8. significant efficiency advantages.In addition, the implementation of a dedicatede-mail archiving solution avoids unnecessarydata redundancy and excess use of resources(e. g. storage capacity).Disclosure of sensitive internal informationThe fiscal authorities are not subject to anyrestrictions regarding exploitation ofinformation that has accidentally come intotheir possession or which exceeds the objectof the audit.Failed or flawed separation of tax-relevant e-mails from non tax-relevant e-mails may leadto a situation where, as a result of thedisclosure of internal information which wasnot an object of the audit, fiscal authoritiescould acquire facts that might be to thecompany’s disadvantage. This represents anavoidable risk. 8
  • 9. E. GFI MailArchiver 6 Checklist Parameterisation and interfacesSystem Design In order to allow for a configuration of the archving solution that complies with the requirements ofSelection of a suitable archive storage GDPdU, the following mandatory preparations on Does the selected archive storage comply the side of the source system (MS Exchange with the requirements of unalterable and Server) are to be made prior to the initial operation: traceable archiving? Definition and installation of the journaling It is essential that the archive storage mailbox that is to contain all e-mails designated allows for comprehensive logging of all for archiving of the corresponding server saving processes and subsequent data Activation of envelope journaling in MS access (including the database level). Exchange Server to ensure the completeness The database system MS SQL Server of the scope of archiving, comprising all serves as a suitable data storage. possible e-mail recipients including blind Subject to appropriately configured access carbon copy recipients (BCC) rights the above referenced requirements This feature is already activated by default are fulfilled by complete storage of all data when using MS Exchange Server 2007. within the database to enable GDPdU- Activation of the message tracking function to compliant storage. allow for subsequent verification of completeSecurity of data connection archiving Does the archiving of e-mails occur via In addition to the mandatory preparations for network connections from source systems GDPdU-compliant archiving, the following that are not located within the user’s recommendations should be considered: sphere of confidence (e. g. from remote Is it ensured that the scope of e-mails MS Exchange Servers)? designated for archival storage is not limited by In this case unalterability within the archiving option settings of GFI MailArchiver? transmission path has to be ensured by With regard to completeness aspects the encryption protected file transfer. following settings are to be made: For this purpose it is necessary to select Capture of e-mails in all possible directions the transmission protocol IMAP with (incoming, outgoing and internal) secure sockets layer (SSL) in GFI MailArchiver to connect with the source No exclusions based on blacklisted user system. 9
  • 10. accounts of the windows domain or archiving system and/or is an administration specific e-mail addresses manual placed at its disposal? No limitations on the number of users Are maintenance and operations control tasks based on whitelisted user accounts of of the archiving system properly defined and the windows domain or specific e-mail contained in a superordinated concept of IT addresses related controlled operations? Exceptions result from user accounts or e- Are all verification tasks properly defined? mail addresses where tax relevance of the Does the configured authorisation concept e-mail traffic can definitely be excluded. comply with the predetermined competencies Is it ensured that no archiving policies are and is the procedure adequately documented? installed which allow for a storage time Capture shorter than the statutory retention period (e. g. retention policies for immediate Are all procedures and techniques that allow deletion based on predefined features)? for verifiable complete and correct capture and archival storage of e-mails properly definedProcesses and organisation and documented? Does the written definition serve as a GFI MailArchiver does not support the logging suitable method to allow a competent third of e-mails transferred via standard interface party to comprehend content, structure from MS Exchange Server. Therefore the and process flow of the procedures within verification of loss-free and thus complete data an appropriate timeframe? transfer, according to the requirements of Are all responsibilities for the particular GDPdU, must be provided by the logging process steps (functional and IT related protocol generated by the particular source operations) for all archiving components system (MS Exchange Server). fully defined? If necessary, it is possible to verify complete Is it ensured that users are instructed on archiving by comparison of the logging how to operate the archiving system protocols (which are generated by the and/or is a user manual placed at their message tracking function of MS Exchange disposal? Server and show the processed e-mails) with the subsequently stored e-mails in the archive Is it ensured that the system administration on the basis of common identifying features. is instructed on how to operate the 10
  • 11. Are suitable procedures in place that based automated labelling – especially as a ensure compliance with the requirements sole technique. An evaluation of tax relevance of GDPdU with regard to the archival is usually too complex for predetermined storage of signed and encrypted e-mails? policies to operate in a reliable manner. A subsequent editing of archived e-mails In any case, such policy-based automated and the combined capture of e-mails with procedures should be accompanied by a additional data sets that are not directly manual verification. obtained from MS Exchange Server are Has a procedure been defined that allows for not supported by GFI MailArchiver. an assignment to one or multiple business Therefore appropriate procedures should transactions by means of a suitable keyword be installed (e. g. manual keyword indexing in GFI MailArchiver? indexing) to allow for an assignment of The option provided by GFI MailArchiver to signed or encrypted e-mails to their individually apply labels visible to all users to corresponding verification records or e-mails that are accessible by the user allows, decrypted e-mails and related decryption in addition to a labelling of tax relevance, for a keys. direct assignment to a corresponding businessIndexing and keyword indexing transaction. Are the procedures for the labelling of tax- This can be implemented by applying a label relevant archived e-mails unambiguously (e. g. keyword index) that contains identifying specified? features allowing for a retrieval of corresponding content in other systems. There are two fundamentally different options provided by GFI MailArchiver 6 on Has a procedure been defined that allows for a how labels can be attached to e-mails: distinct assignment of the archived e-mails in a separate accounting system? Automatically through policy-based labelling at the moment of archiving by In this regard, the identifier (“Identification means of definable categorisation Code“) that enables distinct identification of policies archived e-mails within GFI MailArchiver is important. Manually through subsequent manual Assimilated in an external system (e. g. ERP labelling of archived e-mails that are system ), this identifier can serve as a so-called accessible to the user “foreign key” to establish a logical reference to It is advisable to refrain from a policy- 11
  • 12. the related e-mails and, in this way, an Addition of the second parameter, theassignment to the business transaction. Connection-ID (“connectionId“): http://localhost/mailarchiver/mailview-The “Identification Code“ accessible at the .aspx?id=-2147483647&connectionId-application level provides valuable help in =b44d3270-8bdb-43d2-8fa2-enabling technical usage of such a foreign 67eb6ead54a9key reference in a networked systemenvironment. Entering the URL results in a view of the specific e-mail in the archive:Subject to appropriately set up access http://localhost/mailarchiver/mailview.aspx?id=rights, the archived e-mails can be directly -2147483647&connectionId=b44d3270-8bdb-addressed out of external systems via 43d2-8fa2-67eb6ead54a9hyperlink. However, for this to function, it isnecessary that the referencing system Storage and administrationcontain a method to generate the uniform Is it ensured that the selected archive storageresource locator (URL) autonomously. provides the forseeably required storageThe utilisation of GFI MailArchiver’s capacity and that this is monitored regularly?identifier “Identification Code“ to serve as areferencing linkage out of an external Is it ensured that subsequent verifiability ofsoftware system is possible using the complete archiving based on a comparison oftherein contained parameters “id“ and e-mails transferred by MS Exchange and“connectionId“. e-mails archived by GFI MailArchiverSuch a URL can be composed as follows: (preferably by means of their message-id) is possible? Addressing the user interface of GFI MailArchiver to view the e-mail: Accordingly, it is necessary to assure that the http://localhost/mailarchiver/mailview- MS Exchange Server logs which enable the .aspx? comparison on the source side be stored loss- free (e. g. no overwriting, only append mode) Addition of the (“id“) representing the as long as the archived data itself. active archive store of GFI MailArchiver: Readability and retrieval http://localhost/mailarchiver/mailview- Is a tax auditor user account set up that .aspx?id=-2147483647 enables access to all tax-relevant e-mails? 12
  • 13. As GFI MailArchiver does not support or Software security allow for restricted access based on Is there an authorisation concept that allows for labels, it is advisable to install an a determination of the required separation of organisational procedure for labelling tax functions and the assignment of access rights? relevance to ensure separation of data Are adequate access controls available at the within the archive prior to a tax audit (e. g. following access levels: systematic designation of tax relevance using the manual method for individual operating system labelling). MS Windows including Active Directory, web server and MS Exchange Server In a further step, an export based on such labels followed by a subsequent reimport database system into a dedicated archive store can be MS SQL Server conducted in preparation of a tax audit. In archiving software this way a tax auditor is granted GFI MailArchiver 6 comprehensive access to exclusively tax- relevant e-mails based on labels. Process documentation Are all settings regarding the parameterisationRetention and deletion of software and interfaces properly Is it ensured that no retention policies are documented? defined that cause a deletion of archived Are all interfaces between the particular e-mails prior to expiration of the statutory components of the archiving solution (e. g. retention period? designation, source/destination system, Some tax-relevant e-mails – in certain interface content/type, matching) documented cases – may contain information that in a comprehensible manner? requires a retention period of ten years. Are the interfaces between the archiving Therefore it is advisiable to refrain from a solution and other software systems of the policy-based determination of the retention company (e. g. ERP system or financial period by means of the retention policies accounting system) with regard to referencing of GFI MailArchiver to the extent that they business transactions documented in a do not correspond with the longest comprehensible manner? statutory minimum period for retention. Are operating instructions for users available that allow for proper performance of their 13
  • 14. activities including the manual controls and Is it ensured that changes to the e-mail matching (operational documentation) archiving solution are only applied subject to an provided by the procedure? orderly procedure (change management)? Is a description of the applied components IT operations available that illustrates the technical Are the IT operations (controlled and architecture of the archiving solution and emergency operations) properly defined in how the operational requirements are organisational instructions (e. g. tasks and realised (technical system documenta- authority of administrators, rules for change tion)? management and the administration of storage Are operating instructions for IT personnel media)? available that allow for proper performance Has an emergency concept been prepared for of controlled operation (e. g. backup and a possible failure of the archiving solution (e. g. restoration manual)? disaster recovery and contingency plan)? Is it ensured that the documentation of all Are suitable data backup and data backup effective procedures is archived as a safekeeping procedures defined and are document subject to retention? regular verification tests scheduled concerningImplementation and change effective data recovery? Is ensured that the compliance and Outsourcing security of the applied systems and When engaging an external service provider to software are subject to functional and operate the archiving solution (outsourcing), is technical test procedures prior to the initial it ensured that the requirements regarding operation of the archiving solution? compliance and security are guaranteed by the Is a test procedure defined and service provider? documented and do the test cases allow Appropriate contractual provisions and service for a verification of the requirements level agreements are required. regarding compliance and security? Is a release procedure defined and documented that contains rules on release competencies and are release approvals for all components of the archiving solution available? 14