• Navigation
  • Warenkorb
Archiving business data in compliance with GDPR

GDPR-compliant archiving


GDPR and archiving: The challenge for companies

For many companies the General Data Protection Regulation (GDPR) is associated with enormous risks and uncertain costs.


Keywords such as the right to be forgotten, integrity protection, encryption and privacy-by-design are part of the agenda and must urgently be implemented.

Since the GDPR came into force, IT managers and compliance managers have been faced with the challenge of meeting the high demands on data management. The penalties are high: up to 4% of the global annual turnover or 20 million euros in the case of a serious violation of the GDPR.


Many companies have not yet taken the appropriate measures for archiving in accordance with the GDPR. The incidents of the past years show that some pitfalls in data archiving result in penalties of record amounts - but are avoidable.


An example for a company acting too late is the housing association Deutsche Wohnen. The housing association was sentenced to a sum of 14 million Euro at the end of 2019. An important reason for this: The archive system had no delete function. As a result, personal information of customers and interested parties was stored for years, even if there was no longer a tenancy or the reason for the data processing had expired.


Sanctions are getting continuously tougher. There is still an urgent need for action, even months after GDPR came into force. But how is it possible that companies get into such a situation? Here we’ll tell you the 5 pitfalls which organizations have to avoid.

The 5 biggest pitfalls of GDPR-compliant archiving

1. Meeting retention requirements (retention management)

Companies are obliged to indicate at the time of data collection how long personal data will be archived. These retention periods are usually based on periods which are defined by other regulations, such as the GoBD.

Certain data have to be provided with a timestamp (retention period), and may/must only be deleted after this period has expired. During this period, the data must be archived in an unchangeable form, and protected from deletion. What possibilities for retention management are offered by your business applications or archiving software?


Through additional WORM (Write Once Read Many) protection mechanisms, deletion, manipulation, or changeability within the retention period is not possible.

2. The right to be forgotten: Deleting data within the retention period

It sounds paradoxical, but it is clearly regulated by the GDPR: the right to be forgotten or the right to deletion. On this point, two contradictory requirements come together. On the one hand, your archive must guarantee that data will not be deleted or changed for a certain period of time. At the same time, you have to find a way of breaking this rule in the case where, for example, a person withdraws his or her consent to data processing by your company.

A special delete function and a clearly defined, compliant deletion process enables you to master this balancing act and so delete archived data correctly before the retention period expires.

3. Public cloud and data security

Cloud computing is becoming a general standard in companies. Today, around 50 percent of corporate data is stored in the cloud.

The more data flows into the cloud, the more complex it will become to ensure data security. In 2019, for example, in almost every second company breaches of data security were determined - including cases in which sensitive data was stored unencrypted. In addition, your cloud provider must also implement the GDPR regulations so that your archived data can be stored compliantly.

So please also consider on-premise alternatives. This way, you retain sovereignty over your data and have more control over data security. With modern software-based solutions you also have the same advantages as cloud storage options at significantly lower costs, as a recent ESG study shows.

4. Recording changes and manipulation attempts

If an error or manipulation attempts occur in your archive system, it is important that you are able to prove these. The documentation of your data processing becomes increasingly important.

A so-called audit trail is used here, which records all processes in your archive. This includes the production, storage, maintenance, use, and disposal of all data records. With the help of this documentation, you have the possibility to precisely localize the causes. At the same time, it records which user can be assigned to an event. A timestamp also tells you when an event took place. Of course, users don’t have access to the audit trail, as this must be protected against manipulation too.

5. Integrity protection and permanent data consistency

Don't forget that errors can occur during archiving operation and data storage (keyword bit rot and silent data corruption). In order to protect the data integrity permanently and efficiently, certain automatisms are required to detect these errors and, at best, to solve them directly.

Imagine, for example, a pharmaceutical company which is about to launch a medication onto the market. The regulatory authority examines the safety of this medication, but can’t grant a marketing authorization because important data for quality control are no longer readable or are missing. Your archive solution must be able to identify these errors. With a Self-Healing function of replicated data and automatic hash value checks, damaged records can be identified and replaced with the valid record.

Requirements for GDPR compliant archiving

"Many requirements of the GDPR are easier to implement based on a central archive storage platform. First, the GDPR requires a review and optimization of existing business processes. Technology is only the second step, but it can be crucial for the implementation and continuous compliance."

Werner Bachmann

Lawyer with focus on IT Compliance and Privacy

GDPR and archiving: more than just a documentation task

The GDPR is more than just a documentation task. It involves both IT infrastructures and the optimization of archive systems. It is worth investing in a GDPR-compliant IT infrastructure because data breaches can become expensive. Breaches can be punished with 2 % of the worldwide turnover or with a 10 million Euro fine, for serious GDPR breaches with even 4 % or 20 million Euro.

Do not get caught out with these avoidable pitfalls. If you haven't already done so, prevent it by revising your processes, creating the necessary infrastructure, and storing and archiving your data in compliance with the German Data Protection Act (GDPR).

GDPR Compliance with iTernity

Software-Defined Archiving (SDA) provides openness, scalability and cost effectiveness. SDA provides the functional software layer between 120+ business applications and the storage hardware. See how our solutions help you to design your data storage GDPR-compliant:


  • KPMG certified solution
    KPMG checked and certified iTernity technology for GDPR-compliance.
  • Data integrity
    Our solutions ensure data integrity by storing all information (data, meta data, hash values) in self-sustaining secure archive containers.
  • Encryption at Rest
    Our solutions support AES-256 encryption to prevent unauthorized access.
  • Separation of clients, user data and meta data
    Multi-client capability enables a secure separation of archived data in different repositories. The user data and meta data are strictly separated.
  • Access control
    All access attempts to archive objects are documented in audit logs. Only authorized users get access to personal data.
  • Retention management
    Timestamps, lock concept and WORM functionality guarantee a secure data retention to meet various legal requirements.
  • Data consistency
    The Self-Healing functionality allows to store data on several paths (replication). Damaged objects can automatically be identified and replaced to ensure data consistency and integrity on all paths.

Certified solution with strong partners

GDPR compliance audited by KPMG

iTernity solutions have been audited by KPMG. The external auditors confirmed that the data storage solutions comply with the regulations of the General Data Protection Regulation (GDPR) and its Privacy-by-Default and Privacy-by-Design requirements.

See certificates

Whitepaper: How iCAS meets the requirements of the GDPR

For companies, it is essential to know exactly how their tools and solutions actually meet the requirements of the GDPR. In our whitepaper, we show how iTernity Compliant Archive Software (iCAS) meets GDPR-requirements, providing a solid foundation for legally compliant data management.


Read in this whitepaper:

  • What are the technical requirements of the GDPR for long-term data archiving?
  • How does WORM storage prevent data loss, manipulation, and unauthorized deletion?
  • How does iCAS enable data integrity protection, access control, retention management and more?
Download whitepaper

Read more

Everything about archiving

What is archiving? What are the challenges and benefits? What is the deal with revision security, data integrity and WORM storage? Learn everything you need to know about digital archiving here.
Read more

Audit-proof archiving

Read more

10 success factors in building GDPR-compliant data storage

Read more

Automatic self-healing

Read more
Insights, News & Events | Stay up to date!
Subscribe to our Newsletter