GDPR: Electronic archiving is also concerned

The GDPR (General Data Protection Regulation) was adopted by the European Parliament in April 2016 and will enter into effect on 25 May 2018. In France, its implementation (and the corresponding controls) are placed under the authority of the French data protection authority, CNIL. It will have significant impact on most organisations, as well as on electronic archiving service providers.  

 

The implementation of the GDPR in 2018 in all the member states of the European Union pursues several aims, in particular to standardise regulation at European level, to strengthen people's rights, to increase companies' responsibility by developing self-monitoring and to increase the pressure to observe the rules by toughening sanctions. 

 

Increased control 

Current law, based on 1995 directive 95/46/EC, dates back to the beginning of the Internet and did not provide for the rise in search engines, social networks, connected objects, e-commerce, the cloud and big data, etc. The GDPR therefore intends to strengthen European citizens' control over the use of their personal data while simplifying regulation for organisations.

 

Who is concerned?

The GDPR affects practically all organisations. The regulation applies to all the organisations that collect or process personal data concerning European Union residents, i.e. 99% of European organisations as well as a considerable number of organisations (companies such as major web players) outside the EU

 

What is personal data?

It is any information relating to a physical person who is identified or who can be identified, directly or indirectly, by an identification number or one or more details specific to them (name, photo, e-mail address, address, IP address, telephone no., date of birth, etc.).

 

Dual impact 

The GDPR shock wave will have a major impact on all the data storage service providers as well as those in charge of electronic archiving. Archived electronic documents (contracts, subscription forms, consumer loans, HR documents, etc.) may contain personal data and when the archiving of an organisation's (the data controller within the meaning given by legislation) documents is entrusted to an archiving service provider (the subcontractor), the data controller is responsible for ensuring that their service provider provides sufficient guarantees in terms of the security and confidentiality of the data entrusted to them. They must therefore provide the data controller with the elements that enable them, whether they are a company, an entity or a public authority, to observe the different restrictions and formalities imposed by the regulation. 

 

Privacy by design and Accountability 

The GDPR also modifies management of compliance by introducing two principles: Privacy by design (which must apply to the service provider's archiving platform: secure connection with the client, no analysis of incoming documents - even for indexing -, guarantee of integrity during retention, access control with permissions management, securing the platform, etc.) and Accountability, a principle according to which the data controller must demonstrate their compliance. They must therefore implement the appropriate measures to guarantee, and be able to demonstrate, that personal data is processed in compliance with the regulation. This encompasses the management of documentation, the implementation of security obligations, carrying out an impact analysis and keeping a register of processing operations.

 

The burden of proof

This is a burden of proof which requires that the data controller (company or public authority) documents all the actions in their data protection policy in order to be able to demonstrate to the supervisory authorities or persons concerned how they follow it. Therefore, the company/entity/public authority that uses an archiving service provider (data controller) must take all the technical and organisation measures necessary for compliance with the regulation themselves, and must be able to demonstrate this at any time by keeping a compulsory register. The archiving service provider must provide their client (data controller) with the responses and elements required, in particular the register of processing operations and the contracts (or general terms and conditions) with clauses on the protection of personal data that may be contained in the archived documents. Be wary, however, of certain sales pitches because, to date, no official certification of GDPR compliance exists in France.

 

Electronic archiving: 3 key points for compliance with the GDPR 

To comply with the principles in terms of personal data protection (as some pre-date the adoption of the regulation) and the GDPR, "sophisticated" electronic retention of documents is essential, because archived documents may contain personal data (in particular for companies with a B2C model). However, personal data must be retained only as long as necessary to fulfil the objective of its collection. Electronic archiving must therefore be: 

  • selective. When a text stipulates an archiving obligation, one must ensure that only data necessary to comply with the obligation in question, or to assert a legal right, is archived.¬†
  • limited in time. The data necessary to fulfil a legal or regulatory obligation must be archived for the duration of the obligation concerned and must be deleted once this duration has elapsed. When the documents concerned are not subject to a retention obligation, but are used to assert a legal right, they must be destroyed at the end of the prescribed period.
  • secure. Technical and organisational measures must be envisaged to protect the data archived against any type of event (destruction, loss, alteration, distribution or unauthorised access, etc.).

 

Establishing credentials 

When the archiving is entrusted to a subcontractor (third party archiver), the data controller must therefore, as mentioned above, ensure that their service provider provides sufficient guarantees in terms of security and guarantees the confidentiality (and the location) of the data that is entrusted to them. ISO 27001 certification on the security of IT systems is a good start. In addition there are standards on the design and operation of the Electronic Archiving System used (ISO 14641-1 and Afnor NF Z 42-013) in which the certification reference framework NF461 (common to both these standards) provides responses in terms of archive life cycle management and the traceability of all the corresponding actions.

 

The EAS, the core asset for compliance with the GDPR

An NF 461 certified EAS is a precious aid for compliance. It enables one to provide reliable answers on document integrity (non-alteration and no untimely destruction), on their permanence and their legibility over time (control and validation of formats in order to guarantee that the owner may reread them should they need to produce a document for legal reasons, etc.), archive life cycle management (management of retention periods, destruction process at the end of the retention period, provision of destruction certificates enabling the data controller company to provide proof of destruction in case of an inspection by the relevant authorities - CNIL, etc.).