The arrival of GDPR is set to unearth hidden threats in corporate e-mails systems, leaving poorly prepared organisations battling a tsunami of paperwork.

It’s well known by now that—Brexit or not—the EU General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Businesses offering services to EU citizens, regardless of whether they hold any data in the European Union, will have to adopt more stringent rules than the ones currently imposed by the U.K. Data Protection Act.

The biggest headlines to date have been reserved for the big numbers—those eye-watering fines that could come raining down on the unprepared or the plain incompetent. Given the scale of the potential penalties, that’s understandable enough. So too is the tendency, in offering solutions, to point to the need to appoint data controllers and develop GDPR compliance strategies.

However, too little attention has been given to less obvious more practical risks—and there are plenty. These risks not only open the possibility of incurring those severe penalties, but also create day-to-day organisational issues—including potentially huge administrative burdens—that could be costly and distracting.

Check your inbox (and your archive). E-mail is just one example, but one that is well worth paying attention to. Corporate e-mail systems, including ever-growing archives, likely harbour personal and “sensitive personal data,” as defined by GDPR.

For instance, anyone who has ever organised a corporate event has probably collected information from attendees, including dietary requirements. It’s likely that both individual responses and collated data reside in e-mail—across inboxes, personal folders, and archives. The issue here is that those responses could be used to identify individual religious beliefs and, thus, represent sensitive personal data. Right now, however, no one in compliance knows it exists, where it is, to whom it refers—and even whether it is sensitive.

That, of course, first creates a security issue—one that is more pressing given e-mail’s status as the vector of choice for those seeing to access corporate systems. But there is a wider issue, too, one that is not limited to sensitive data.

Some of the significant, yet less discussed, changes brought in by GDPR centre on Subject Access Requests (SAR). In and of themselves, SARs are not new; a citizen’s right to access information held by an organisation has long been enshrined in the Data Protection Act—itself the U.K. implementation of a previous EC directive.

GDPR moves the goalposts in stipulating a time limit of one month to comply with a SAR request and—perhaps most significantly—in removing the organisation’s right to charge a fee (at least for a first request).

Too little attention has been given to less obvious more practical risks—and there are plenty. These risks not only open the possibility of incurring those severe penalties, but also create day-to-day organisational issues—including potentially huge administrative burdens—that could be costly and distracting.

For many, the £10 (U.S.$12.9) access charge that is currently allowed represents an important barrier, one that dissuades citizens from bombarding organisations with SARs, when they are only vaguely interested in the outcome. That no such hurdle will exist under GDPR leaves organisations exposed to the potential for an exponential increase in SAR requests—and remember, regardless of volume, they’d have one month to comply.

Frankly, it is not beyond reason to imagine the organised, mass use of SARs as a form of protest against unpopular organisations, a kind of administrative DDoS attack. The question then, is whether organisations currently are equipped to cope with hundreds or thousands of SAR requests, bearing in mind the need to include e-mail and e-mail archives in the discovery, disclosure and, let’s not forget, erasure process.

A pain in the archive. It seems likely that responding to an SAR will include a requirement to rapidly identify and isolate all copies of all personal data relating to a particular data subject across the entire e-mail system, including the archive. That is going to be particularly painful for organisations that maintain backup tapes, but also anyone with an e-mail archive that does not allow rapid search and tagging is going to struggle.

Research carried out by Mimecast found that seven percent of 150 U.K. IT decision-makers said their e-mail system did not contain personal or sensitive data. Meanwhile, 69 percent said they believed it contained personal data, 62 percent expected sensitive data to be present, and 44 percent said both were probably tucked away in e-mail systems. The reality is that almost all e-mail servers or archives will contain both personal and sensitive data.

The picture wasn’t much better when it came to retrieving that data. A fifth of those who believed relevant data would be present said it would take at least 12 hours. On average, the process seems likely to take seven hours per request. Multiply that by even a hundred simultaneous requests and you have a burden stretching to 700 hours, equivalent to months of work, plus related costs and disruption.

A cloudy outlook. As is so often the case these days, the solution for many organisations will be in the cloud. Let’s be clear, simply moving away from tape or other physical storage, whether on site or not, and stuffing all of those historical e-mails in a cloud repository is no kind of answer. Any such move must be part of an e-mail archiving strategy, one that identifies the critical capabilities that any such move must deliver for GDPR compliance, not just the usual cloud-based capital expenditure savings.

Security, too, must be a primary consideration. Not just archive encryption, but wider security services to guard against targeted, e-mail-borne impersonation attacks, weaponised attachments, and malicious URLs. The e-mail system as a whole will need a comprehensive front-line defence if personal data is to be fully protected.

Then there is the thorny issue of coping with SARs. Any move to cloud archiving must deliver the fine-grained control and powerful search capabilities required to quickly identify, isolate, and retrieve personal data, and the option to delete it in the event of an opt-out request.

Organisations, therefore, need to consider their choice of data processor very carefully. Due diligence must examine appropriate security and continuity best practices and international standards. Meanwhile, cloud e-mail providers also need to offer an archive search SLA (service level agreement) that ensures employees can manage compliance, litigation, and e-Discovery requests quickly.

SARs represent a real, pressing, and practical issue for virtually all firms whose e-mail systems hold GDPR-governed data. It is, of course, also an opportunity to finally deal with the outdated e-mail archives that are the heart of the issue and whose replacement is long, long overdue.

Alan Kenny is a general manager, Europe, at Mimecast, an e-mail management cloud services provider.