Almost at the end of the GDPR journey, in this blog post we focus on the sixth challenge: keep track of the right time to delete documents and to permanently delete the documents, so no backup copies exist. Reading through the blog series, is quite evident how GDPR is an on-going process and companies have to put in place a long term plan to demonstrate their compliance.
As Bart van Bouwel, from CDI-Partners, highlights in this article, another important change introduced by the GDPR is data minimisation.
"Keep only the information you need for as long as you need it."
This means, not only structured data (data in databases) must be deleted after a certain time, but also unstructured data has to be removed. Data and documents that are being kept on basis of consent must be deleted as soon as the consent is withdrawn.
As for the other challenges, implementing these functionalities on documents and files is more difficult than it is for structured data. Not only do you need to establish the right retention period, you need to keep this information with the document, and find a way to delete the document after the retention period has passed. We already talked about the need to keep a link to the consent that has been given in a previous post.
In the simplest form, retention periods are fixed; you need to keep a document for x years. But it can become more complicated very fast. Keep the dossier (all the documents related to a certain contract) y years after the contract ends. In this case you could be obliged to keep certain documents for decades. The retention period is not fixed, but a rule. By consequence, you can't set the date of deletion the moment you store the file on your environment.
And deletion actually means removing all copies of the document from your system (and shredding the paper versions). For years companies are investing in backup solutions, so they can retrieve information that has been deleted. And now we need to find a way to selectively delete or at least block access to certain files on backups.
How simple would this be if we didn’t store multiple copies of the same document on file servers and if we didn’t keep back-ups.
Alfred GDPR helps to manage document retention, including GDPR related information. This means that the all GDPR aspect of your documents, including a clear view on PII (personally identifiable information) are under your control. Records management is the ‘art of throwing away’, so governance to remove sensitive information is as important as to retain information.
Building upon Alfresco Content Services, our powerful meta-data scheme allows to encode various GDPR retention and protection policies. Retention is ensured as long as consent is given. Once consent is withdrawn, a simple query allows to collect information to be removed. Needless to say that audit and protection mechanisms are provided to protect against any unintended operation.
Optionally, Alfred GDPR enables object storage for all your (GDPR) documents. By applying the proper versioning policy, and protecting against loss of documents via built-in (Geo) replication, there is no need for two or three tier back-up strategies. As a consequence, you have direct control over all documents and their history within one management layer. With smart versioning policies and object storage you simply eliminate the need to keep or clean back-ups.
Thanks for reading and keep a lookout to our last challenge: “Control the usage of documents by external parties".
In the meantime, you can contact us for any specific request and we will glad to help you and provide our support.
The series is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.