Lotus Notes and the GDPR conundrum
GDPR is the compelling reason to finally migrate legacy data held in Lotus Notes
Many organizations have yet to start the process of migrating their data and applications away from the Lotus Notes platform, and while there are many reasons as to why this is so, probably the two key ones are a truly compelling event that forces the issue and a lack of expertise. This is according to Jon Pyke, CEO, CIMtrek Ltd.
“That compelling event is the General Data Protection Regulation (GDPR), which becomes UK law on 25th May 2018. It is compelling because organizations are expected to create a single view of a customer – leaving data in old Notes databases is likely to render users non-compliant,” stated Jon.
The proposed new EU data protection regime extends the scope of the EU data protection law with a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
“The information commissioner (ICO) in the UK has created a useful guide[1] with twelve steps in place to help address any personal data issues that an organization might have. Awareness of the impact GDPR is a real issue especially with the SME marketspace[2]. A recent Close Brothers study of 900 small and medium-sized enterprises (SMEs) from across the UK and Ireland claimed that just one in four has started preparing for it, while only one in three is aware of the implications of GDPR. Furthermore a recent survey by international law firm Paul Hastings[3], most top UK and US firms are still overestimating their state of readiness,” he added.
“Lack of expertise is easy to fix, there are organizations that can still provide expertise in assisting organizations off of Notes, although the numbers are dwindling rapidly. However, if you chose to proceed it is worth finding a consultancy with a technology set that follows the same methodology as proposed by Gartner. These are the steps Lotus Notes users need to consider to help you to comply with the new law when it comes into force,” he continued.
Discovery
Before anything else happens you need to get a concise and accurate picture of your Notes environment. You need a process that and technology that accesses your Notes estate and provides you with a complete list of all the NSF files you have. As a result you will have a detailed breakdown of applications structure and content.
By analysing the output presented you will quickly discover which databases are affected by the new laws thus enabling you to pick which to archive and which to replace in order to remain compliant.
Data extract
A key area of importance to the GDPR compliance directives is being able to get to all the data that is held on an individual so that, for example, a request to be forgotten is executed with a high degree of certainty. This means that getting data out of the Notes databases into an easily searched Relational Database is critical.
“It goes without saying that there are many ways to extract data from Notes. organizations can spend many, many man hours creating Notes scripts to extract the data. This approach is labour intensive, expensive and time consuming. The scripts themselves are straightforward enough to develop but before they are written and thoroughly tested there is an entire process of analysing the structure of the Notes database to determine what is extracted, what is ignored, how it is structured and where it is going to go. Phew, you get the idea!!” continued Jon.
Once the IBM Lotus Notes side of it is done, you then need to design the SQL database, deploy it and write more scripts to populate it with the data. You may even need a different consultant, someone who understands SQL. This all adds time and cost to your project and to do it properly typically take several days per application just to get the data migrated. Then there is designing, testing, executing, rewriting and doing it again and again until it works.
“But there is a better way of extracting the data. Technology exists that takes the majority of the manual effort away and provides a more automated and, more importantly, repeatable process. This allows you to extract the data in hours instead of months. The most common approach that we see from our customer base is to extract all data, metadata, attachments, ACLs etc. into a Microsoft SQL or MySQL database.”
“This enables them to automatically use the existing application “structure” to define the database. Also any attachments associated with the NSF are automatically linked and can be stored anywhere. If a database is not required then another potential automatic option is to extract the data in XML format - the schema can be adjusted to enable ingestion of the data by an application such as MS Dynamics CRM. Also it is possible to take all attachments and squirt them into a Document or Content Management System (DMS or CMS) such as Alfresco.
Archiving
Part of the process of moving off of Notes and retaining data can entail building a searchable archive. Automated archiving solutions exist that will systematically extract data (attachments, RTF’s, images, etc.) from any number of Notes Databases and make them available to view without having an application to access them, whilst at the same time mirroring the structure of the Notes application and document database.
The resulting archive structure can then be imported into a full archiving solution for future use as and when required.
“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign organizations processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European organizations to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide revenues. As Y2K was to COBOL so GDPR is to Notes,” he continued.
If your organization is still using Lotus Notes then you cannot afford to ignore GDPR
Find out more about our unique GDPR solution for Notes users at https://cimtrek.com/lotus-notes-applications-ready-gdpr
[1] https://ico.org.uk/media/for-organizations/documents/1624219/preparing-…
[2] https://bespinlabs.blogspot.co.uk/2017/12/gdpr-compliance-sky-is-fallin…
[3] http://www.computerweekly.com/news/450432510/Top-UK-and-US-firms-still-…