PSTs and GDPR: Are you really in control of your information?

Posted by Darwin Lee on Sep 27, 2017 Last updated Mar 08, 2022

PST files and GDPR

If you want to watch your CIO visibly shaking in their boots, try mentioning PST files and GDPR compliance in the same sentence. The battle between IT departments and PSTs has been quietly raging for years and yet these pervasive – yet highly insecure – archives remain one of the most common problems plaguing modern enterprises.

Dealing with their eradication has proved so overwhelming in many cases that some businesses have simply chosen to ignore the existence of their PSTs altogether. Unfortunately for them, that head-in-the-sand attitude could put them at significant risk when GDPR officially kicks in on 25 May 2018.

What’s so risky about PSTs?

PST’s are risky in a whole world of ways, but these are the main reasons they’ve become one of IT’s most hated file formats:

  • PSTs are not officially supported on network sharing and can only be accessed by one user at a time – a real headache for team projects and processes like eDiscovery
  • PSTs often exist on local disk drives that don’t get backed up automatically – that’s a high-risk for data loss if those drives have any accidents
  • Staff can take PST files home on laptops and removeable drives, putting sensitive information and intellectual property at risk of being lost or misused
  • PSTs are a convenient and popular way to extract emails from a company system – another big DLP risk, particularly for departing employees
  • PSTs can be created by users on demand, which means they inevitably pop up all over the place and are a nightmare to keep track of PSTs are very effective at hiding emails from detection by centralised management, making them the ideal place for rogue employees to keep incriminating information or stolen IP
  • PSTs often contain undocumented email copies that escape official elimination/disposition processes, exposing businesses to unnecessary risk

With all those security flaws, you may be wondering how and why PSTs are still around. Much of it boils down to the scale and complexity of finding, analysing and successfully migrating all of your PST files – a project sufficiently daunting to bring out the procrastinator in the best of CIOs.

With the GDPR looming, however, the days of ignoring PSTs are fast coming to a close.

PSTs and GDPR – a ticking clock

Knowing where your data lives within your organisation is a primary building block for GDPR readiness and a primary stumbling block of PSTs. After all, it’s tricky to prove that you’re treating sensitive information with the proper respect if you have no idea whether that information exists, who can access it, or where it might be – courtesy of our friend the PST.

Unresolved, that issue alone can leave an awful lot of holes in your security strategy, and is a sure-fire way to set yourself up for some hefty GDPR fines.

Addressing the PST problem in time

PSTs are, in all honesty, one of the trickiest things to track down, centralise and/or safely eradicate. That said, it is certainly feasible to address your PST problem within the GDPR deadline. It’s even theoretically possible to do it without driving your IT department completely insane.

The trick lies in using a targeted solution like Transvault PST Insight that enables in-place management as well as selective content-level migration to find and secure vital data and sensitive information without having to move all of the chaff along with the wheat.

Don’t get me wrong: it’s still going to be an intensive project that requires meticulous planning and implementation to do well. Given the alternative of €20 million fines for GDPR non-compliance, however, a little investment upfront could be well worth your while.