It is an solution that ensures that GDPR data in emails and files are identified and handled. The solution automatically scans GDPR data for the individual employee and makes it easy and clear to handle GDPR data.

The solution is constantly scanning for new GDPR data.

Users receive a new notification email every month, but it is always possible to use the link in the notification email to go in and get the current image.
 

Some people should not be scanned for GDPR data:

• Union Representative - It is not allowed to scan emails for a union representative unless you have the person's written permission. Therefore, you must either have it or fail to select a trust representative for scanning .

• Leave, maternity leave or long-term sick leave - You must be aware that users on leave, maternity leave or long-term sick leave do not look at the notification reports that are sent out. This means that they can potentially have their GDPR emails deleted without having assessed them*. Therefore, they may not need to be marked for scanning or removed from the scan list. You can change your decision by  add/remove to AD group or notifying gdprtoolbox@itm8.com

Note: Your company chooses whether Automatic Deletion of GDPR related mails / documents should be activated.

The solution scans according to a wide range of criteria. The criteria are composed on the basis of the Danish Data Protection Agency's guidelines for what GDPR-related content is:

• Sensitive information
  • Health information
  • Trade union membership
  • Ethnic and religious beliefs
  • Sexual orientation
• General information
  • PII-pictures (Personal Identifiable Information)
  • Travel information
• Confidential information​
  • CPR & +20 European countries national ID
  • Danish driver's license & +20 European countries Danish Passport & +20 European countries
  • Written warnings
  • Annual accounts
  • Salary / Loans
  • Application / Job offer / CV
  • Commissions / Bonus Agreements
  • Termination
• Criminal offenses
  • Criminal record
  • Offenses, fines, convictions

Every month, a notification email is sent out to users.

The link to the notification report in the mail is the same from time to time, so it is always possible to use that link to get in and check its current status.

You can save it in your browser and use it every time you go in and check your GDPR status. Also in the middle of the month.

You can also share it with your colleagues in the organization. It is your AD login that determines what you get access to.

Notification email is sent and contains a link to the different data sources scanned. They have the following subject line in email:

• GDPR Toolbox rapport (for Mail + SharedMail + OneDrive + SharePoint)
• FileShare – GDPR Toolbox rapport (for Professionel-customers)

GDPR Toolbox cannot issue new notification reports with links to individuals.

We can send out a new notification report to everyone in the company
otherwise he / she has to wait for the next automatic broadcast on the 7th of next month

But you can share your link with your colleague. It is your AD login that determines what you can see in the notification report.

Every month we send out notification emails to those users who have potentially GDPR sensitive emails.

It is important to note where mail is sent from, as hackers can also send emails out to fish for data.

If you receive a notification email from GDPR Toolbox, then the header should look like this:

From: gdprtoolbox@itm8.com
Sent: Jan 1, 2024 4:03 pm
To: XXXXXXXXX
Subject: GDPR Toolbox report

You receive mails from gdprtoolbox@itm8.com

Notification email contains a link that leads to a web page with the notification report, where you can see all the emails that potentially contain GDPR data.

This notification email comes from the GDPR Toolbox.

It is important to inform all users before the first broadcast that an email is coming from the GDPR Toolbox and that it is ok.

Users are warned again and again (and with good reason) that they do not click on a link in an email from an unknown sender.

There is a risk that users will delete notification emails, because "they have learned that".

Therefore, an internal email must be sent out so that users are informed that the notification email is in order.
 

Notification is sent out when the company has decided to get started. The e-mail will then be sent out once a month.

Experience shows that the period just around the 1st in a month creates a lot of pressure for both customers and suppliers.

There are time registrations, month-ends and invoicing, so there does not have to be a notification email that you have to correlate to.

Therefore, we move the sending out of the monthly mail to the 7th of the month.

It is always possible to use the link in an old email to access GDPR portal, but the broadcast of mails takes place on the 7th of the month.

Notification e-mail will be received by each user in their personal mailbox. Notification email contains information about Mail, OneDrive and shared mailboxes, if you are responsible for such. Sharepoint folders that are included in GDPR scanning will also receive notification emails for these.

Best practice is to only send emails to the people who have potentially GDPR sensitive data. Therefore, emails are only sent to users who have potentially GDPR sensitive data.

If you get a notification email and think your notification report is empty, check if you have data in DeleteNow, Private or Dispensation tabs. There may still be GDPR data in these tabs.

Access to the notification report can be obtained via the link in the notification email.

You get access to your Notification Report using your regular AD login.

When you click on the link in your Notification Email, a browser with a login page opens.

You must select "Sign in with Office 365" and enter your AD login information.

Note: It is NOT possible to log in by pressing Advanced Login.

Data must be at least 3 months old and contain one or more GDPR words to appear in the notification report.

Best practice is to only send emails to the people who have potentially GDPR sensitive data. Therefore, emails are only sent to users who have potentially GDPR sensitive data.

If you get a notification email and think your notification report is empty, check if you have items in the Delete Now, Private or Dispensation tabs. There may still be GDPR data in these tabs

Occasionally, GDPR sensitive emails appear in notification reports placed in synchronization folders.

That folder can be difficult to find in Outlook, so here is help to find folders:

Tap the 3 dots below mail folders in Outlook:

Select "Folders" / "Folders"

It is now possible to view synchronization logs with other mail folders

It is removed again by pressing the mail folder again.

Mails that are down here are mails that for one reason or another failed while syncing Outlook.
They can usually be deleted without further inspection.

The individual user has the following options for handling GDPR data

• Marking as "Misclassified" on datasets (mail and documents) that are still not related to GDPR data. The dataset marked "Misclassified" will not appear in the future notification report.
• Marking as "Private" on datasets (emails and documents) that are related to the user as a private person. The dataset marked "Private" will continue to appear in the future notification report in a tab in top of notification report.. 
• Marking as "Dispensation" on the dataset (mail and documents) on which there is a need to continue to keep the information. The dataset marked "Dispensation" will continue to appear in the future notification report in a tab in top of notification report.
• Marking as "Delete" on the dataset (mail and documents) that must be deleted now (the deletion takes place by a run that is made within a day).

If you are in doubt about how the remaining GDPR-related elements should be handled after handling, reach out to the company's GDPR contact person.

The data set marked with "Misclassified", "Private" and "Dispensation" is still displayed in the report via the customer portal. See more under the item: Reporting / Customer portal

NOTE: Customer-specific configuration of the following may be agreed differently for your company.

Your company chooses whether Automatic Deletion of GDPR related mails / documents should be activated.

When an email / document has appeared in a notification email for 2½ months (3 times) because it contains GDPR data, it is deleted automatically if the user has not responded with a tagging. (Dispensation, Misclassified, Private, Delete-Now)

This means that an email is a minimum of 5½ months.
It only appears in a notification report when it is 3 months old.

When a customer is put into operation, there may be some old data that needs to be handled and it is not certain that everything has been processed to the start date.

Therefore, "Automatic Deletion" will not be initiated until we are sure that all "backlog" has been processed and the customer has had a reasonable time to check old mails.

When the GDPR Toolbo automatically initiates deletion, the age of the email applies. Mail must be older than 3 + 2½ = 5½ month.

When you click on the link in your notification email, you will be asked to log in with your site AD username.

Once you have done that, the notification report opens (Here a danish version):

The notification report is divided into 4 parts:

• Tabs
• Purpose text
• Search field and filtering and quantity information
• Handling of GDPR elements

See the next 3 sections on handling the individual sections.

At the top of the notification mail are different tabs:

• Data set – These are all potential GDPR elements that have not yet been processed. This is where your work should take place
• Deleted – All the emails you have deleted, but which have not been deleted in your mailbox yet. This is done once a day, so you have time to regret
• Private – All the items you have marked Private are in this list.
• Dispensation – All the items you have marked as Dispensation are in this list and will remain there until you finish working with them and remove the “Dispensation” mark. They are then moved to the dataset page and can be processed like all other GDPR data elements.
• Misclassified – All items you misclassify are placed here. Here they stand for a short period of time before GDPR Toolbox handles them and removes them from your list. You can undo a misclassification within approx. 5 minutes.

If you think you have handled all your GDPR data and therefore should not have an email with reminders, look in Private and Dispensation. There may be data that still has GDPR content.

Deleted data can be viewed by clicking on the Deleted tab:

Private data can be viewed by clicking on the Private tab:

Dispensation data can be viewed by clicking on the Dispensation tab:

The text provides a quick description of what data has been found and what can be done about it. It is possible to use "Show more" to display the entire text.

On the right part of the page, information about the following is displayed: 

• Number of GDPR elements displayed on the current page
• The total number of your GDPR elements

You can search your GDPR elements by typing in the search field and pressing return.

The filtering function is used by pressing the three horizontal filter lines with bubbles.
Filter is visible by default.

It is then possible to filter by date or types.

You can select and deselect filters by clicking on them and fold the filter in by pressing 3 horizontal filter lines again.

The individual user has the following options for handling GDPR data:

• Marking as "Misclassified" on datasets (e-mail and documents) that are not related to GDPR data anyway. The dataset marked "Misclassified" will not appear in the future notification report
• ​Marking as "Private" on the dataset (email and documents) that is related to the user as a private person. The dataset marked with "Private" will continue to appear in the future notification report in a tab at the top of the report.
• ​Marking as "Dispensation" on the dataset (e-mail and documents), after which there is a need to continue to keep the information.The dataset marked with "Dispensation" will continue to appear in the future notification report in a tab at the top of the report.
• Marking as "Delete now" on the dataset (e-mail and documents) that must be deleted now (the deletion takes place by a run that is made within 24 hours).

GDPR Toolbox basically scans the Microsoft 365 applications Exchange (mails and attachments), OneDrive and SharePoint and Teams sites (SharePoint sites).

Exchange Online Archive:
The Exchange Online Archive in Microsoft 365 is NOT scanned by default.
Feel free to contact gdprtoolbox@itm8.com for info about this.

If the GDPR Toolbox Professional version is used, onpremise file share is also scanned.

• E-mails and documents that have been omitted by the company (eg HR folders)
• Folders named "Private" in Outlook and OneDrive *1
• "Deleted record" in Outlook. We recommend instead that a delete policy should be created on the folder *1
• Meeting invitation in outlook *2

*1 Private and deleted mail will not be scanned per default, but it is possible to opt for scanning of this data as well

*2 When a meeting invitation is deleted, it can give a "reply" to the sender.
This often confuses the sender – especially if it is an old meeting invitation or from an external sender.
 

The solution scans 24/7 and the solution scans in "lumps" on different users and on the different data sources.

The solution does this to accommodate as many users as possible; i.e. that as many users as possible can start handling GDPR-related data as quickly as possible.
It is therefore not a question of the solution scanning a user "completely" before the solution moves on to the next user.

When a user is "finished", GDPR Toolbox still continues to control this person's data volume.

• Old emails may have been deleted in Outlook
• New emails arrive (older than 3 months)
• The scanning algorithms change *

* GDPRToolbox is continuously updated and improved with regard to scanning algorithms.
GDPR legislation is changing and fine-tuning to avoid false positives is constantly being done.
For example, 'Corona' was a Spanish girl's name in 2019, where it is now a health information.

GDPR Toolbox allows you to make 1 or 2 PREVIEW reports.

A PREVIEW report means that 5 to 6 selected employees get a PREVIEW notification report before everyone else and they therefore have the opportunity to test and get to know the system before it is sent out to everyone in the organization.

Only the PREVIEW notification report for Mail is sent.

It is important when the 5-6 people are selected that you choose people who can be thought to have GDPR data, as the solution only sends out if there IS GDPR data found on the individual user.

The 5-6 people are selected in connection with onboarding procedures, so that they can be started before everyone else and thus be longer in the scanning process.

The individual user receives an e-mail with a link to the GDPR Toolbox. Via the link, the individual user gets access to GDPR data related to the user's e-mails and documents.

Notification e-mails are sent once a month, but the link works all the time and the content is updated regularly. Therefore, the individual user  does not have to wait until next month to review GDPR data.

Notification e-mails are sent separately for Exchange (mails), SharePoint OneDrive and FileShare (GDPR Toolbox Professional). 

One Office 365 account counts as one GDPR Toolbox account.

Both personal and shared mailboxes count as one user each in the GDPR Toolbox solution and also cover scanning oneDrive belonging to the individual account. 

SharePoint is scanned regardless of the number of accounts. 

We do a count of the number of accounts in each month and this forms the basis for the settlement of the GDPR Toolbox. 

Our support team can be contacted here: gdprtoolbox@itm8.com 

If it is a specific email we would like to know:

• To
• From
• Subject field (if you have it - or as much as possible)
• Date and time

It makes it easier for us to support you!

We handle scanning of users using an Entra AD (Former Azure Active Directory) group.

This means off-/onboarding of users happens by adjusting content in the Entra AD group.

If you are in doubt about which Entra AD group we use for your company, please write to

gdprtoolbox@itm8.com

Note: However, it is necessary to handle on-prem solutions (Exchange servers and file scanning) and OnlineArchive scanning by adding/removing email addresses from the GDPR Toolbox manually.

When a user is deleted in Office 365, the user is removed from AAD groups.

This means that the user is removed from the GDPR Toolbox and all scanning of this user's data is removed.

Private folder in Outlook
Datasets (documents and emails) that are located in the Private folder in Outlook or OneDrive are not included in the Notification report and are not included in the GDPR Toolbox reporting.

Note:
It is your company's decision whether data placed in Private folders in Outlook or OneDrive should be included in the Notification report or not.

"Private" marked with a tag in the notification report
Elements marked with "Private" will be excluded from the main list in Notification report, but will be shown in tab marked Privat and included in the GDPR Toolbox reporting

When a Mailbox / OneDrive folder is scanned, the notification email is sent to the owner of this Mailbox / OneDrive and it is the owner who can use the link to the notification report and process any. GDPR items on the list.

When a shared mailbox is scanned, the notification mail is sent to the shared mailbox.

It is not possible to just log in with your own AD login, as the link is connected to the shared mailbox email address.

It is possible to set up one person responsible for handling shared mailboxes.
Write to gdprtoolbox@itm8.com for more information

It is possible to define the responsible for handling GDPR elements on existing SharePoint sites - this is done in the GDPR Toolbox onboarding procedure, where it is also possible to specify which sites may need to be omitted.

A 'Custodian Report' is sent to the GDPR Toolbox contact person or a person appointed by the GDPR Toolbox contact person.
In this special Custodian Report, it is possible to appoint someone responsible for the various SharePoint sites.

The person in charge of a SharePoint Site receives the notification email and can use the link to the notification report and process GDPR items on the list.

When new SharePoint sites are created in Microsoft 365, the notification email will by default be sent to the owner of the individual SharePoint Site and the owner can use the link to the notification report and process GDPR elements in the list. If it is not the right recipient, it is possible to change the owner using the custodian report.

If an owner of the individual SharePoint site has not been added to Microsoft 365, the site will be without an owner - an overview of owners of SharePoint sites can be seen via the GDPR Toolbox reporting on the customer portal.

Determination of responsible person in SharePoint takes place at Site level.

The Exchange/Outlook distribution list, so that more users can handle the GDPR elements on SharePoint sites, can be made.
This is not part of the GDPR Toolbox and is the responsibility of the Customer. 

In connection with scanning of all users' data, access is opened for reporting on the company's GDPR status, which takes place via Customer portal. It is possible to get an overview of the company's GDPR data (without access to specific GDPR data) and the distribution of the different types of GDPR data.

Distribution of the various found GDPR data:

• Distribution by types
• Distribution over time
• Distribution by users (e-mail addresses)
• Distribution over datasets marked with "Misclassified", "Private" and "Dispensation"

GDPR Customer statistics: Overview

GDPR Customer statistics: Documents

GDPR Customer statistics: Users

GDPR Customer statistics: Risc

It is NOT possible to see the specific datasets, only the type and number and their distribution by user and sources.
 

User access to the customer portal

To access Customer Portal you must use this link:

https://itsm.itm8.com/HEAT/

Username is your email. If you don't know your password, click "Forgot password".
You will then receive an email with a link to set your password.

Once logged in, select the contract in "Contract Selection".
It must be the contract that contains the GDPR Toolbox.

You can then select the GDPR Toolbox report and view customer statistics
You can find the GDPR Toolbox Report by selecting "More..." and there you can find the GDPR Toolbox (it may say Baseline GDPR Toolbox in the list)

Your contact person gets a login to the portal.

More users can access, send an e-mail to gdprtoolbox@itm8.com  and ask for access to more users.

If you experience any problems accessing the GDPR report, then contact gdprtoolbox@itm8.com