European data protection: If you store data you must also delete it

‘JiVS History for GDPR’: system-independent platform for data management and compliance

Kreuzlingen, 18th December 2017 – The clock is ticking. In less than six months sanctions will begin to apply to violations of the EU General Data Protection Regulation (GDPR). One of the regulation’s central requirements phrased briefly and concisely reads as follows: If you store data you must also delete it. For many companies, it will prove difficult to carry out this task. This is because they operate older systems, which are capable of storing data, but which cannot delete such data automatically. However, the costs of any adaptations to established data inventory systems or investments in modern systems often exceed the funds available. The solution adopted in “JiVS History for GDPR” enables data, together with business logic, to be separated from legacy systems, cleansed and consolidated on one platform. Then the data can be safely deleted.

 

A new data privacy law in 2018

The GDPR requires businesses to ensure a hitherto unprecedented amount of transparency and documentation when processing personal data, which goes far beyond its tamperproof storage and protection from unauthorized access. Companies will have to know and be able to prove virtually at any time and at the flick of the button where, how and who is storing and processing personal data and the purpose of such storage and processing. They will have to be capable of intervening in such processes at any time, for example if they have to comply with comprehensive disclosure obligations vis-à-vis supervisory authorities, above all, however, on behalf of the persons to whom such data relates.

 

What mattered previously was the collection of user data as comprehensively as possible and its secure storage. Now, however, the aim is that datasets, apart from the necessary tasks of archiving and backing up data, should be minimized and if need be deleted in a targeted fashion. Moreover, this will not only apply to data but also to documents containing personal data. Old systems and archives, however, only offer such possibilities to a limited extent. A high degree of manual labor and specialist know-how is required to modify them. The alternative strategy – migration to more modern systems – is time-consuming and expensive.

 

This is compounded by the fact that the EU General Data Protection Regulation does not refer to individual systems but to business processes in the course of which personal data is processed. Such processes are usually supported by systems designed by different manufacturers. For most companies seeking to comply with the requirements of the GDPR before the deadline for compliance in May 2018, the adaptation of different systems using different software solutions from various manufacturers is not a viable option because of the amount of time and expense involved.

 

The solution: extraction of personal data

The solution for this both technical and financial problem lies in a complete new approach to data management: the separation of data and the accompanying business logic from legacy systems and management of its entire lifecycle. The operational costs of such a platform are up to 80 percent less than those for the systems it replaces. The savings are attributable in part to the possibility of cleansing the migrated data usually found in legacy systems on many occasions, but which apart from necessary backups only has to be made available on one occasion.

 

JiVS: the platform for data management and GDPR compliance

The 80-20 rule also applies to IT budgets: around four fifths of IT tasks are performed for operational purposes alone. Businesses are hardly in a position to use the remaining 20 percent to finance any necessary innovations in digitalization, migration to new software generations such as SAP S/4 HANA and to ensure legal certainty.

 

Standardization and automation are the necessary prerequisites for definitively overcoming this situation through the decommissioning of legacy systems and the system-independent management of data and its accompanying business logic. These are precisely the characteristics offered by the JiVS solution from the Swiss-based company Data Migration Services AG. With the aid of a Java-based platform and, in particular, its component ‘JiVS History for GDPR’, the archive and live data obtained from the decommissioned systems together with documents governed by retention periods can be assured through a comprehensive system of “retention management” and irretrievably and automatically deleted at the end of the retention period. In addition, this automatic solution can be put on hold in exceptional cases, such those involving ongoing legal proceedings, at the level of individual datasets or documents (‘legal hold’).

 

Certified according to strict standards

JiVS History has been certified since 2015 as complying with the strict standard IDW PS 880 laid down by the Institute of Public Auditors in Germany (IDW). This means that the historization of data and the decommissioning of legacy systems using the software solution JiVS History meets the requirements under commercial law and tax law described in sections 238 et seq. of the German Commercial Code and sections 140 and 148 of the German Tax Code (AO), the generally accepted principles of proper computer-based accounting systems (GoBS) and the principles governing data access and the auditability of digital records (GDPdU).

Apart from compliance with requirements under commercial and tax laws, the comprehensive analysis and reporting functions provided by JiVS History also enable extensive requirements when searching and analyzing historical data to be met, throughout the entire duration of the mandatory retention period. In this respect, it is irrelevant whether the data originates from SAP, Baan, JD Edwards, Oracle or other systems.