Servicing GDPR Requests with LISTSERV and PowerShell
By Nathan Brindle Senior Product Engineer, L-Soft
The EU General Data Protection Regulation (GDPR) went into effect May 25, 2018. The GDPR applies to any organization regardless of where the data is processed. All organizations should determine whether they are processing personal data of EU residents. The GDPR encompasses all industries and sectors.
The GDPR requires, among other things, that an organization must be able to provide on demand a report in a common machine-readable format (such as XML), listing every instance of a customer's personal data held by that organization. For LISTSERV, that can be a tricky prospect because personal data may be held in list archives, in change-logs, and of course in subscription lists themselves. It may also be bundled together with third-party user data (for instance, in archived postings). L-Soft has developed a Microsoft PowerShell-based script to assist you with this process.
The script, using either the LCMD.EXE or LCMDX.EXE command interfaces that ship with the Windows version of LISTSERV, can pull the relevant data using standard LISTSERV commands and methods, and produce an XML report containing the results. While the script itself is Windows-specific, by using the LCMDX.EXE option (which communicates directly with the server's TCPGUI port), it is possible to generate reports from any Unix-based LISTSERV site as well, provided the site has the LISTSERV web interface enabled.
The script also works under Microsoft PowerShell Core 6.1, making it possible to run the script from Linux and MacOS workstations by using the Unix version of 'lcmdx'.
What Data is Included in the LISTSERV GDPR Report?
The complete XML report includes the following:
- A list of the lists on the server to which the target address is currently subscribed
- A list of all postings found in each subscribed list's archives (if the list has archives) that were originated by the target address, including the post number, date/time, subject, and a GETPOST command for each 100 postings found for retrieval of those posts
- A list of all lists on the server for which the target address is currently a list owner, a list editor, and/or a list moderator
- A list of all list-level changelogs on the server that contain references to the target address
- A list of registration data held by LISTSERV, which contains the target address or the registered full name associated with it
- (Optional) A list of all references found in the SYSTEM.CHANGELOG and any NOLIST-*.CHANGELOG files that exist on the server
L-Soft's perspective is that this constitutes a reasonable search through LISTSERV data that does not expose third-party personal information to the requestor, although we strongly recommend that each report be analyzed for any inappropriate data prior to being sent on to the requestor.
Downloading the Script and Associated Files
The script is available for download from http://download.lsoft.com/downloads/gdprscan/gdprscan.zip and comes bundled with copies of LCMD.EXE, LCMDX.EXE, and lcmdx.c (source code for Linux/MacOS) for users' convenience.
Note that we don't provide an executable copy of lcmdx for Linux/MacOS because it's usually best to compile and link the code locally against your existing libraries. Instructions for compiling/linking lcmdx are included in the setup guide.
Complete instructions for installing, configuring and using the script to produce GDPR reports are included in the package.
Prerequisites
- For Windows, a reasonably recent version of PowerShell (5.x or later is preferred). For Linux or MacOS users, the latest version of PowerShell Core should be used.
- LISTSERV 16.5 or later, with a build date of April 9, 2018, or later, is required in order to run change-log reports. Earlier builds will produce a message in the XML stating that change-log reports cannot be run because the installed LISTSERV version does not support them.
- LISTSERV postmaster-level access is required to run the comprehensive, server-level reports.
- List owners may use the script to run reports against lists they own. However, such a report may not fully meet the GDPR criteria if the target address is subscribed to lists on the server that are not owned by the script invoker.
Support
Customers who have current LISTSERV maintenance may request help and report problems with the script at: support@lsoft.com.
Sample XML Report
Disclaimer
This content is for informational purposes only and should not be considered or construed as legal advice. Please consult with your organization's legal counsel for guidance. Compliance is the responsibility of each organization.
Subscribe to LISTSERV at Work.
|