Why your Lotus Notes backup isn’t enough – How Lotus Notes backup and incomplete migration can ruin your credibility (and how to avoid it)
By Karen Martin
Incomplete migrations from Lotus Notes Domino are more common than one might expect.
Normally, companies should carefully consider compliance requirements when deciding how to archive legacy data while migrating off Lotus Notes Domino. But how many companies plan this in time, and how often is compliance an afterthought? And finally, what if you inherit a pile of NSF files from your IT fellows who left the company?
This is a common story about how inactive, cold data suddenly becomes a hot potato.
How to backup or archive a Lotus Notes database
What we should do here is to draw a clear line between creating backups and archiving. The purpose of creating backup is data recovery, not long-term retention. The lifespan of a backup is typically short, as it is overwritten by new copy in a new backup cycle. The new copy reflects all changes in operational databases (including deletions of personal data) within that cycle, so there is no need to intervene in the backup itself. (Read more about Domino built-in backup and restore.)
Archive, on the other hand, refers to a collection of historical records (Notes documents in this case). Its purpose is to provide long-term retention and future reference. These collections should also allow authorized users to delete selected records – be it on subject’s request or at the end of the retention period for specific records (see also: Lotus Notes archive: NSF vs. Stand alone archive).
You cannot rely on a standard Lotus Notes backup if you want to ensure long-term access to historical data.
The Lotus Notes Domino legacy
Over the last 30 years, Lotus Notes, followed by IBM and HCL Notes/Domino, have been organizational workhorses. Companies in every industry have used them to create countless applications and databases.
Every application will eventually be replaced by newer solutions. Typically, when companies migrate off Lotus Notes Domino, they transfer critical data to new systems, and archive the rest for reference, compliance, e-discovery or research purposes.
Many companies choose to preserve access to legacy application data by simply maintaining the Lotus Domino servers and Notes clients indefinitely. That may work for reference and research purposes for a while, but as time goes on, the costs and risks increase: scarce Domino expertise, licenses, and maintenance updates of the legacy environment.
So a company may decide to backup and archive all those inactive Lotus Notes Domino databases. In practice, that usually means storing hundreds or even thousands of discrete NSF files.
This seemingly good idea is likely to be an expensive choice for companies subject to GDPR-like privacy laws.
The privacy laws give new rights to data subjects, such as the Right to Be Forgotten, that will require easy access to archived data. Companies may find that legacy databases will significantly raise the cost of complying with data subject access requests (DSARs).
The cost of compliance
These laws are proliferating rapidly. On March 5th, 2021, Virginia, the self-proclaimed Internet Capital of the World, became the latest U.S. state to pass a privacy law: the Consumer Data Protection Act (CDPA).
Like the California Privacy Rights and Enforcement Act (CPRA) and the GDPR, it gives data subjects rights over personal information collected by businesses and other organizations. Data subjects may request that an organization provide them with a copy, in a “commonly used electronic form,” of any personal information a company has collected about them. They may also request that the company amend or delete their personal information.
The CPRA will only apply to data collected after January 2023, but the GDPR and the Virginia CDPA appear to apply retroactively to older data. That means companies subject to these laws may frequently need to search, copy, update and delete archived data. They can no longer store it and forget it.
Complying with DSARS can be extremely expensive. One widely-cited report estimated that UK businesses spend an average of £1.59 Million and 14 person years annually to process them.
The IAPP-EY Annual Governance Report 2019 found that over half the companies surveyed received requests to access personal data and requests to delete it. They also reported that the most difficult DASRs to process were those that required searching for unstructured personal data.
Legacy risk: Lotus Notes backup
This makes legacy Lotus Notes and Domino applications a compliance problem. They store semi-structured data in a NoSQL document database (NSF file). You need to have Lotus Notes installed in order to search these records for specific personal data, in the first place. Then, you need to know where to look (Remember discrete NSF files?). And once you’ve found the data, it needs to be converted to a commonly used electronic form (Remember that the data subject can request a copy?).
A typical question that arises at this point is:
What about the data stored in Lotus Notes backups?
While you may be able to find and extract data from a Domino database in active use in a timely manner (by using additional conversion tools), pulling data from inactive databases or backups will be a much more difficult, if not impossible, task.
Privacy laws generally don’t offer an exception for personal data contained in backups. The regulations apply to all personal data that an organization holds, with no exceptions. But it would be extremely impractical to find (not to mention to delete on request!) individual records or documents from a backup, especially when the backup is sitting on a tape or in cold storage in the cloud.
Additionally, if a company is preserving old Lotus Domino servers and databases just to archive legacy applications, those legacy systems may become vulnerable. It is difficult enough to keep active systems updated and patched; legacy systems are less likely to be patched and upgraded. Under these new privacy laws, data breaches of any system containing personal information can lead to heavy fines. Legacy systems increase the risk of data breach fines.
In short, inactive data in legacy systems may do a company more harm than good.
Time to separate backups from archives
If legacy data is worth keeping, the standard Lotus Notes backup isn’t enough. The data should be converted to commonly used electronic formats, such as PDF and XML, and stored in a well-protected and maintained archive. It will be gone from active systems, but not forgotten — unless the data subject requests that it be deleted.
Therefore, it’s not about creating a backup from a Lotus Notes database. The real question is: “How do I archive a Lotus Notes database?” We recommend creating a standalone archive that is completely independent of the original platform.