The 5 biggest pitfalls when doing GDPR-compliant archiving

Since the EU’s General Data Protection Regulation came into force on 25 May 2018, individual EU citizens can be sure that their data are protected by uniform law, and that they will keep the sovereignty about how their data are further used. From a consumer’s perspective, the GDPR is a significant step forward in data protection.

After two years, however, most companies still haven’t taken the appropriate measures to meet the requirements. Companies have to ensure that they store and process data in accordance with the specifications of GDPR. Internal processes, data management, and archiving must be reconsidered and optimized. This way, GDPR-compliant archiving has developed into its own specialist discipline.

An example for a company acting too late is the housing association Deutsche Wohnen. The housing association was sentenced to a sum of 14 million Euro at the end of 2019. An important reason for this: The archive system had no delete function. As a result, personal information of customers and interested parties was stored for years, even if there was no longer a tenancy or the reason for the data processing had expired.

Between 2018 and the end of 2019, a total of more than 160,000 GDPR breaches have been registered. 247 per day! Sanctions are getting continuously tougher. There is still an urgent need for action, even months after GDPR came into force. But how is it possible that companies get into such a situation? Here we’ll tell you the 5 pitfalls which organizations have to avoid.

1. Meeting retention requirements (Retention Management)

Companies are obliged to indicate at the time of data collection how long personal data will be archived. These retention periods are usually based on periods which are defined by other regulations, such as the GoBD.

Certain data have to be provided with a timestamp (retention period), and may/must only be deleted after this period has expired. During this period, the data must be archived in an unchangeable form, and protected from deletion. What possibilities for Retention Management are offered by your business applications or archiving software?

Through additional WORM (Write Once Read Many) protection mechanisms, deletion, manipulation, or changeability within the retention period is not possible.

2. The right to be forgotten: Deleting data within the retention period

It sounds paradoxical, but it is clearly regulated by the GDPR: the right to be forgotten or the right to deletion. On this point, two contradictory requirements come together. On the one hand, your archive must guarantee that data will not be deleted or changed for a certain period of time. At the same time, you have to find a way of breaking this rule in the case where, for example, a person withdraws his or her consent to data processing by your company.

A special delete function and a clearly defined, compliant deletion process enables you to master this balancing act and so delete archived data correctly before the retention period expires.

3. Public cloud and data security

Cloud computing is becoming a general standard in companies. Today, around 50 percent of corporate data is stored in the cloud.

The more data flows into the cloud, the more complex it will become to ensure data security. In 2019, for example, in almost every second company breaches of data security were determined - including cases in which sensitive data was stored unencrypted. In addition, your cloud provider must also implement the GDPR regulations so that your archived data can be stored compliantly.

So please also consider on-premise alternatives. This way, you retain sovereignty over your data and have more control over data security. With modern software-based solutions you also have the same advantages as cloud storage options at significantly lower costs, as a recent ESG study shows.

4. Recording changes and manipulation attempts

If an error or manipulation attempts occur in your archive system, it is important that you are able to prove these. The documentation of your data processing becomes increasingly important.

A so-called audit trail is used here, which records all processes in your archive. This includes the production, storage, maintenance, use, and disposal of all data records. With the help of this documentation, you have the possibility to precisely localize the causes. At the same time, it records which user can be assigned to an event. A timestamp also tells you when an event took place. Of course, users don’t have access to the audit trail, as this must be protected against manipulation too.

5. Integrity protection and permanent data consistency

Don't forget that errors can occur during archiving operation and data storage (keyword bit rot and silent data corruption). In order to protect the data integrity permanently and efficiently, certain automatisms are required to detect these errors and, at best, to solve them directly.

Imagine, for example, a pharmaceutical company which is about to launch a medication onto the market. The regulatory authority examines the safety of this medication, but can’t grant a marketing authorization because important data for quality control are no longer readable or are missing. Your archive solution must be able to identify these errors. With a self-healing function of replicated data and automatic hash value checks, damaged records can be identified and replaced with the valid record.

The GDPR is more than just a documentation task. It involves both IT infrastructures and the optimization of archive systems. It is worth investing in a GDPR-compliant IT infrastructure because data breaches can become expensive. Breaches can be punished with 2 % of the worldwide turnover or with a 10 million Euro fine, for serious GDPR breaches with even 4 % or 20 million Euro.

Do not get caught out with these avoidable pitfalls. If you haven't already done so, prevent it by revising your processes, creating the necessary infrastructure, and storing and archiving your data in compliance with the German Data Protection Act (GDPR).

A solution for many use cases: Software-Defined Archiving

Archiving solutions will be in demand when it comes to mastering different and individual use cases as well as meeting internal and extern requirements. The software-defined middleware archiving solution iCAS and the scale-out archiving platform iCAS FS enable secure and compliant archiving of all forms of business data. The solutions keep the integrity of archived data safe, and fulfill legal, industry-specific, and internal compliance requirements. Thanks to hardware-independence, high flexibility, and enormous scalability, large amounts of data can be archived cost-efficiently, and cover nearly every use case.