As there is a growing abundance of local and international laws that impose proper digital archiving or preservation (Belgian Digital Act, MiFID II, NF-461, etc.), it’s also important to ensure compliance with the General Data Protection Regulation.
Most archiving systems have been designed to never delete any information and even the internationally reputed ISO 14721, the “holy OAIS-grail” of all archivists, isn’t compliant with GDPR.
We’ll cover some of the key elements of the GDPR that impact digital archiving and how your archiving solution should address these challenges.
Data Minimization and Retention
Personal data should only be collected and stored for specified, explicit, and legitimate purposes, and not kept for longer than necessary. This is expressed in GDPR Article 5: data minimization and storage limitation.
Digital archiving solutions should, consequently, incorporate functionalities such as:
- Automatic data retention policies: Set automated rules to delete personal data after a specific period or when it is no longer needed.
- Granular access controls: Restrict access to archived personal data to authorized users based on roles, responsibilities, and legitimate purposes.
OAIS is meant to preserve information eternally and doesn’t foresee access control on the archiving system.
Right to Access and Data Portability
Individuals have the right to access their personal data and obtain a copy of it (GDPR Article 15). Additionally, GDPR Article 20 grants individuals the right to data portability, allowing them to receive their data in a structured, commonly used, and machine-readable format.
Digital archiving solutions must facilitate:
- Simple search and retrieval: Implement efficient search capabilities to quickly locate and retrieve personal data upon request.
- Data export functionality: Allow data to be exported in common formats like CSV, JSON, or XML, to enable easy portability.
Your typical Document Management or Records Management solution doesn’t provide this kind of export functionality.
Right to be Forgotten
GDPR Article 17 provides individuals with the right to have their personal data erased under specific conditions, such as when the data is no longer necessary for the purpose it was collected.
To comply with this requirement, digital archiving solutions should:
- Enable secure deletion: Implement secure deletion procedures to ensure that erased data is irretrievable and cannot be reconstructed.
- Maintain deletion logs: Keep records of all erasure requests and actions to demonstrate compliance with the right to be forgotten.
Data Security and Encryption
In accordance with Article 32 of the GDPR, organisations should implement appropriate technical and organisational measures to ensure the security of personal data. This includes protecting data against unauthorised access, accidental loss, or destruction.
Essential security functionalities in digital archiving solutions include:
- Data encryption: Encrypt personal data both at rest and in transit using strong encryption algorithms.
- Regular backups: Schedule routine backups to protect against data loss and ensure data integrity.
- Intrusion detection and prevention: Implement monitoring and alerting systems to detect and prevent unauthorised access or security breaches.
OAIS considers encryption as the introduction of a risk for preservation.
GDPR Compliance Auditing and Reporting
Organisations must demonstrate compliance with GDPR regulations, and digital archiving solutions should support this by providing:
- Audit trails: Maintain detailed logs of all data processing activities, including data access, modification, deletion, and transfer.
- Compliance reporting: Generate customizable reports that outline compliance with GDPR requirements, highlighting potential issues and areas for improvement.
If you are looking to comply with the GDPR regulation, it might be a good thing to keep the above functionalities and requirements in mind.
These will also be reflected in the revision of eIDAS, its new Trust Services and the EUDIW.