Retention Management and the GDPR
1. Problem description
Since the day it came into force on 25 May 2018, things seemed to calm down around the European General Data Protection Regulation (EU GDPR) – but only for the general public. Staff in IT departments are still talking about it practically every day. And rightly so too. That’s because the new European data protection legislation turns companies’ usual storage practices on their head. Whereas in the past the main task was to keep data and documents for as long and as securely as possible, the regulation requires them to be deleted if they contain personal data.
Companies have to fulfill this obligation if employees, customers or partners make use of their “right to be forgotten” and there are no other rules like valid retention periods that oppose this. However, they also have to delete personal data on their own initiative if it turns out that this data was unlawfully collected or if the purposes behind the data collection no longer apply. Basically, the EU GDPR not only requires a delete function, but also the continuous management of the entire lifecycle of personal information. In other words, the regulation requires end-to-end retention management.
It’s already difficult enough to meet these requirements in live systems. But not all managers seem to be aware that the EU GDPR naturally also applies to all of the legacy systems – with no exceptions and regardless of how old they are.
To determine which personal data may need to be deleted, companies are faced with the laborious, time-consuming and costly task of finding out where it is actually stored. In view of today’s heterogeneous and internationally distributed IT environments, this inventory is already not easy for production systems.
An inventory of the productive systems, however, is not sufficient as it needs to be extended to legacy systems too. Yet many legacy systems do not have a “delete button”, let alone functions to manage the entire lifecycle of data and documents. Also, the cost of retrofitting these legacy systems cannot be justified from a business point of view – assuming it’s even technically possible.
The basic problem of retention management in legacy systems is that the lifecycle of data and documents containing personal data cannot be managed separately from the lifecycle of the systems. And as this management has to remain incomplete with many legacy systems due to the technology, not only do the costs rise disproportionately, but the legal risks do too. As noted above, the EU GDPR does not differentiate between productive systems and legacy systems!
The solution for this problem is to extract the data and documents from any type of legacy system, be it SAP, Baan, Peoplesoft, Microsoft Axapta, Oracle ERP or in-house developments etc., and store them in a modern, neutral format on a central platform. However, the business context must be retained. For example, it must be possible to search for and find all invoice documents belonging to a customer address there. The relationships between the information must also be stored on the platform for this purpose. This gives users the ability to handle the information as if it were still in its original environment. That is exactly what the EU GDPR requires. Companies can only delete these data records in a targeted and complete manner if all the personal data on an employee or a customer, for example, can also be identified at the push of a button in all legacy systems.
Data and documents can be tagged with retention rules and periods using comprehensive retention management functions. At the end of the lifecycle – for invoices, for example, this is ten years after their creation date – the relevant data and documents are suggested for deletion. A double-checking principle prevents accidental deletion. At the same time, this kind of retention management prevents premature erasure. Even if a customer requests the deletion of their personal data, the information that is not yet subject to expired deadlines will still be retained. This also applies to data and documents that may not be erased due to legal disputes and are therefore subject to a so-called legal hold. It goes without saying that a retention management system worthy of the name documents every action seamlessly and automatically.
JiVS IMP is the name of the Information Management Platform that provides all the functions needed to meet the requirements of the EU GDPR for any type of legacy system. The platform offers, as standard, a wide range of interfaces to legacy systems from multiple providers, including Baan, Microsoft Axapta, Oracle ERP, Peoplesoft and of course SAP. The standard version of JiVS IMP supports more than 2000 business objects from various providers’ solutions; for SAP, it supports over 1200.
JiVS IMP can be implemented both in an in-house data center or in the public cloud. Supported environments include Amazon Web Services, the Google Cloud Platform, and Microsoft Azure. At the same time, customers can choose from a variety of popular database management systems (DBMS), from IBM Db2 to Oracle Database and Microsoft SQL Server to SAP IQ.
5. Customer benefits
JiVS IMP provides legal certainty across all legacy systems. However, the potential benefits are far greater. The ability to manage the entire lifecycle of corporate information is not limited to personal data, but can be applied to all information, whether it originates from commercial systems such as ERP and CRM solutions or from technical systems such as PDM or PLM.
This also makes it possible to manage the lifecycle of the companies’ crown jewels, their intellectual property, seamlessly and much more securely than in the legacy systems. This is because a central platform is easier and more effective to protect against cyber-attacks and to shield against vulnerabilities than many legacy systems, if patches are even supplied for these at all.
Last but not least, JiVS IMP usually enables cost savings of 80 percent or more compared to the operating costs for legacy systems, which can be completely decommissioned.
6. Price and availability
JiVS IMP is available now. The functional scope and pricing are defined on a project-specific basis. Customers can choose to subscribe to the platform’s functionality as a service, enabling them to transfer capital expenditure (CAPEX) to operating expenditure (OPEX).