Audit-proof, unchangeable, long-term data retention—until just a few months ago, these were the keywords used for advertising electronic archive systems. What was expected of a good archive solution was that it would store data indelibly and for eternity.
Then, the General Data Protection Regulation (GDPR) took effect and turned everything upside down. And although the GDPR definitely did not arrive unannounced, many IT managers only became aware of its full implications once it was already in force.
The impact of the GDPR was first influenced discussed in relation to areas such as e-mail and online marketing, social media and cloud offerings Then other issues came to the fore: processing directories, processing data on commission, data protection officers in companies. Those involved are only gradually grasping the reality that the GDPR not only affects marketing and IT, but in fact affects all business processes and parts of the company. Let's look at a few examples.
Employees are also persons
The General Data Protection Regulation applies only to natural persons, not to companies. However, this does not mean that the GDPR does not apply within the company or in B2B business. Employees of companies are persons, even if they have taken on the role of the employee. This means that all documents and data that contain information about an employee are person-related. This applies both to the employees at your own company and to the employees of business partners such as customers and suppliers.
What does "identifiable" mean?
The GDPR applies to "personal data" and defines it as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person - Source: Official Journal of the European Union
On the one hand, of course, this leaves some room for maneuver. With commitment, creativity and a good nose, certainly more people are identifiable than not. On the other hand, "identifiable" dramatically expands the radius when compared with "identified": an e-mail address, a telephone extension, a user name, an abbreviation—the list of personal data quickly becomes fairly long.
Non-personal data—do business processes ever even have anything like this?
When writing this article, I reflected on this a lot—and couldn't think of a single example. An invoice, for instance, contains the contact data of the supplier and the recipient, both including the contact person. If the invoice is processed in an ERP system, all work steps are logged in a revision-proof manner—including information on who processed the invoice. If in nowhere else, then at least the metadata will reveal everything. Even a rather impersonal business process such as invoice processing invariably involves several identifiable persons, making GDPR applicable here as well.
And what does the GDPR have to do with archiving now?
Archiving most commonly involves business documents such as invoices. It is a fact that all business documents entering the archive contain personal data. Electronic processing and archiving usually generates even more personal data—to which the GDPR also applies.
It gets even more interesting when we include other requirements of the GDPR, namely principles such as earmarking, data minimization, and storage limitation. In very simplified terms, these precepts stipulate that personal data may only be used or stored if there is a reason—which must be legally valid—for doing so. If there is no reason, personal data must be deleted, without having been prompted to do so.
And this is where the real paradigm shift is to be observed: Previously, the goal of archiving was the unchangeable storage of data and documents for an unlimited period of time. Since the GDPR has gone into effect, however, the ruling requirements in an archive solution have come to include transparency, traceability, options for searching and filtering, and—in a turnaround of the old adage that good archiving equates permanence—even deletion.
Additional Information: Click here to download our checklist with the 10 most important functions that an archive solution should have when storing personal data.