How incomplete Lotus Notes Domino migration can ruin your credibility (and how to avoid it)
By Karen Martin
Incomplete migrations from Lotus Notes Domino are more common than one might expect.
Normally, companies should carefully consider compliance requirements when deciding how to archive legacy data while migrating off Lotus Notes Domino. But how many companies plan this in time, and how often is compliance an afterthought? And finally, what if you inherit a pile of NSF files from your IT fellows who left the company?
This is a common story about how inactive, cold data suddenly becomes a hot potato.
The Lotus Notes Domino legacy
Over the last 30 years, Lotus Notes, followed by IBM and HCL Notes/Domino, have been organizational workhorses. Companies in every industry have used them to create countless applications and databases.
Every application will eventually be replaced by newer solutions. Typically, when companies migrate off Lotus Notes Domino, they transfer critical data to new systems, and archive the rest for reference, compliance, e-discovery or research purposes.
Many companies choose to preserve access to legacy application data by simply maintaining the Lotus Domino servers and Notes clients indefinitely. That may work for reference and research purposes for a while, but as time goes on, the costs and risks increase: scarce Domino expertise, licenses, and maintenance updates of the legacy environment.
So a company may decide to archive all those inactive Lotus Notes Domino databases.
In practice, that usually means storing hundreds or even thousands of discrete NSF files.
This seemingly good idea is likely to be an expensive choice for companies subject to GDPR-like privacy laws.
The privacy laws give new rights to data subjects, such as the Right to Be Forgotten, that will require easy access to archived data. Companies may find that legacy databases will significantly raise the cost of complying with data subject access requests (DSARs).
The cost of compliance
These laws are proliferating rapidly. On March 5th, 2021, Virginia, the self-proclaimed Internet Capital of the World, became the latest U.S. state to pass a privacy law: the Consumer Data Protection Act (CDPA).
Like the California Privacy Rights and Enforcement Act (CPRA) and the GDPR, it gives data subjects rights over personal information collected by businesses and other organizations. Data subjects may request that an organization provide them with a copy, in a “commonly used electronic form,” of any personal information a company has collected about them. They may also request that the company amend or delete their personal information.
The CPRA will only apply to data collected after January 2023, but the GDPR and the Virginia CDPA appear to apply retroactively to older data. That means companies subject to these laws may frequently need to search, copy, update and delete archived data. They can no longer store it and forget it.
Complying with DSARS can be extremely expensive. One widely-cited report estimated that UK businesses spend an average of £1.59 Million and 14 person years annually to process them.
The IAPP-EY Annual Governance Report 2019 found that over half the companies surveyed received requests to access personal data and requests to delete it. They also reported that the most difficult DASRs to process were those that required searching for unstructured personal data.
Legacy risk footprint
This makes legacy Lotus Notes and Domino applications a compliance problem. They store semi-structured data in a NoSQL document database. You need to have Lotus Notes installed in order to search these records for specific personal data, in the first place. Then, you need to know where to look (Remember discrete NSF files?). And once you’ve found the data, it needs to be converted to a commonly used electronic form (Remember that the data subject can request a copy?).
A typical question that arises at this point is, “What about the data stored in Lotus Notes backups?”
While you may be able to find and extract data from a Domino database in active use in a timely manner (by using additional conversion tools), pulling data from inactive databases or backups will be a much more difficult, if not impossible, task.
Privacy laws generally don’t offer an exception for personal data contained in backups. The regulations apply to all personal data that an organization holds, with no exceptions. But it would be extremely impractical to find (not to mention to delete on request!) individual records or documents from a backup, especially when the backup is sitting on a tape or in cold storage in the cloud.
Additionally, if a company is preserving old Lotus Domino servers and databases just to archive legacy applications, those legacy systems may become vulnerable. It is difficult enough to keep active systems updated and patched; legacy systems are less likely to be patched and upgraded. Under these new privacy laws, data breaches of any system containing personal information can lead to heavy fines. Legacy systems increase the risk of data breach fines.
In short, inactive data in legacy systems may do a company more harm than good.
Lotus Notes migration: gone but not forgotten
If legacy data is worth keeping, it should be converted to commonly used electronic formats, such as PDF and XML, and stored in a well-protected and maintained archive. It will be gone from active systems, but not forgotten — unless the data subject requests that it be deleted.