GDPR-compliant archiving

Since the GDPR came into force, IT managers and compliance managers have been faced with the challenge of meeting the high demands on data management. The penalties are high: up to 4% of the global annual turnover or 20 million euros in the case of a serious violation of the GDPR.

Many companies have not yet taken the appropriate measures for archiving in accordance with the GDPR. The incidents of the past years show that some pitfalls in data archiving result in penalties of record amounts - but are avoidable.

An example for a company acting too late is the housing association Deutsche Wohnen. The housing association was sentenced to a sum of 14 million Euro at the end of 2019. An important reason for this: The archive system had no delete function. As a result, personal information of customers and interested parties was stored for years, even if there was no longer a tenancy or the reason for the data processing had expired.

Sanctions are getting continuously tougher. There is still an urgent need for action, even months after GDPR came into force. But how is it possible that companies get into such a situation? Here we’ll tell you the 5 pitfalls which organizations have to avoid.

1. Meeting retention requirements (retention management)

Companies are obliged to indicate at the time of data collection how long personal data will be archived. These retention periods are usually based on periods which are defined by other regulations, such as the GoBD.

Certain data have to be provided with a timestamp (retention period), and may/must only be deleted after this period has expired. During this period, the data must be archived in an unchangeable form, and protected from deletion. What possibilities for retention management are offered by your business applications or archiving software?

Through additional WORM (Write Once Read Many) protection mechanisms, deletion, manipulation, or changeability within the retention period is not possible.

2. The right to be forgotten: Deleting data within the retention period

It sounds paradoxical, but it is clearly regulated by the GDPR: the right to be forgotten or the right to deletion. On this point, two contradictory requirements come together. On the one hand, your archive must guarantee that data will not be deleted or changed for a certain period of time. At the same time, you have to find a way of breaking this rule in the case where, for example, a person withdraws his or her consent to data processing by your company.

A special delete function and a clearly defined, compliant deletion process enables you to master this balancing act and so delete archived data correctly before the retention period expires.

3. Public cloud and data security

Cloud computing is becoming a general standard in companies. Today, around 50 percent of corporate data is stored in the cloud.

The more data flows into the cloud, the more complex it will become to ensure data security. In 2019, for example, in almost every second company breaches of data security were determined - including cases in which sensitive data was stored unencrypted. In addition, your cloud provider must also implement the GDPR regulations so that your archived data can be stored compliantly.

So please also consider on-premise alternatives. This way, you retain sovereignty over your data and have more control over data security. With modern software-based solutions you also have the same advantages as cloud storage options at significantly lower costs, as a recent ESG study shows.

4. Recording changes and manipulation attempts

If an error or manipulation attempts occur in your archive system, it is important that you are able to prove these. The documentation of your data processing becomes increasingly important.

A so-called audit trail is used here, which records all processes in your archive. This includes the production, storage, maintenance, use, and disposal of all data records. With the help of this documentation, you have the possibility to precisely localize the causes. At the same time, it records which user can be assigned to an event. A timestamp also tells you when an event took place. Of course, users don’t have access to the audit trail, as this must be protected against manipulation too.

5. Integrity protection and permanent data consistency

Don't forget that errors can occur during archiving operation and data storage (keyword bit rot and silent data corruption). In order to protect the data integrity permanently and efficiently, certain automatisms are required to detect these errors and, at best, to solve them directly.

Imagine, for example, a pharmaceutical company which is about to launch a medication onto the market. The regulatory authority examines the safety of this medication, but can’t grant a marketing authorization because important data for quality control are no longer readable or are missing. Your archive solution must be able to identify these errors. With a Self-Healing function of replicated data and automatic hash value checks, damaged records can be identified and replaced with the valid record.

The GDPR is more than just a documentation task. It involves both IT infrastructures and the optimization of archive systems. It is worth investing in a GDPR-compliant IT infrastructure because data breaches can become expensive. Breaches can be punished with 2 % of the worldwide turnover or with a 10 million Euro fine, for serious GDPR breaches with even 4 % or 20 million Euro.

Do not get caught out with these avoidable pitfalls. If you haven't already done so, prevent it by revising your processes, creating the necessary infrastructure, and storing and archiving your data in compliance with the German Data Protection Act (GDPR).

Software-Defined Archiving (SDA) provides openness, scalability and cost effectiveness. SDA provides the functional software layer between 120+ business applications and the storage hardware. See how our solutions help you to design your data storage GDPR-compliant:

• KPMG certified solution
  KPMG checked and certified iTernity technology for GDPR-compliance.
• Data integrity
  Our solutions ensure data integrity by storing all information (data, meta data, hash values) in self-sustaining secure archive containers.
• Encryption at Rest
  Our solutions support AES-256 encryption to prevent unauthorized access.
• Separation of clients, user data and meta data
  Multi-client capability enables a secure separation of archived data in different repositories. The user data and meta data are strictly separated.
• Access control
  All access attempts to archive objects are documented in audit logs. Only authorized users get access to personal data.
• Retention management
  Timestamps, lock concept and WORM functionality guarantee a secure data retention to meet various legal requirements.
• Data consistency
  The Self-Healing functionality allows to store data on several paths (replication). Damaged objects can automatically be identified and replaced to ensure data consistency and integrity on all paths.