- Problem description
The European General Data Protection Regulation (EU GDPR) turns companies’ usual storage practices on their head. Whereas in the past the main task was to keep data and documents for as long and as securely as possible, the regulation requires them to be erased if they contain personal data. Companies have to do this if employees, customers or partners demand it and there are no other rules, for example certain prescribed retention periods, that oppose this. However, they also have to erase personal data on their own initiative if it turns out that these data were wrongly collected or if the purposes behind the data collection no longer apply. Basically the EU GDPR not only requires an erasure function, but also the continuous management of the entire life cycle of personal information.
Unfortunately, many legacy systems do not have a “erase button”, let alone function to manage the entire life cycle. The cost of retrofitting these legacy systems also cannot be justified from a business point of view. In addition, this kind of retrofitting is no longer technically possible with many legacy solutions.
To determine which personal data may need to be erased, companies are faced with the laborious, time-consuming and costly task of finding out where they are stored. In view of the heterogeneous and internationally distributed IT landscapes, this inventory is already difficult enough for production systems. Some manufacturers even offer their own tools for this, but they are only suitable for their own solutions.
An inventory of the productive systems, however, does not go far enough. Personal data stored in legacy systems are subject to the EU GDPR in the same way as data stored in productive systems. Even if it is technically possible to retrofit them at high cost, they would have to be removed from the pure read mode and put back into operation permanently in order to operate a retention management system that is consistent across all systems.
The basic problem of retention management in legacy systems is that the life cycle of data and documents containing personal data cannot be managed separately from the life cycle of the systems. And as this management has to remain incomplete with many legacy systems due to the technology, not only do the costs rise disproportionately, but the legal risks do too. The EU GDPR does not differentiate between productive systems and legacy systems!
The solution for this problem is to extract the data and documents from any type of legacy system, be it SAP, Baan, Peoplesoft, Microsoft Axapta, Oracle ERP or in-house developments etc., and store them in a modern, neutral format on a central platform. However, the business context must be retained. For example, it must be possible to search for and find all invoice documents belonging to a customer address there. The relationships between the information must also be stored on the platform for this purpose. This gives users the ability to handle the information as if it were still in its original environment. That is exactly what the EU GDPR requires. Companies can only erase these data records in a targeted and complete manner if all the personal data on an employee or a customer, for example, can also be determined at the push of a button in all legacy systems.
Data and documents can be documented with retention rules and periods using comprehensive retention management functions. At the end of the life cycle – for invoices, for example, ten years after their creation date – the relevant data and documents are suggested for erasure. A double checking principle prevents accidental erasure. At the same time, this kind of retention management prevents premature erasure. Even if a customer requests the erasure of their personal data, the information that is not yet subject to expired deadlines will still be retained. This also applies to data and documents that may not be erased due to legal disputes and are therefore subject to a so-called legal hold. It goes without saying that a retention management system worthy of the name documents every action seamlessly and automatically.
JiVS IMP is the name of the information management platform that provides all the functions required to meet the requirements of the EU GDPR for any type of legacy system. JiVS IMP can be implemented both in an in-house data center or in the public cloud. Supported environments include the Google Cloud Platform, Amazon Web Services and Microsoft Azure. At the same time, customers can choose from a variety of popular database management systems (DBMS), from IBM Db2 to Oracle Database and Microsoft SQL Server to SAP IQ.
- Customer benefits
JiVS IMP provides legal certainty across all legacy systems. However, the potential benefits are far greater. The ability to manage the entire life cycle of corporate information is not limited to personal data, but can be applied to all information, whether it originates from commercial systems such as ERP and CRM solutions or from technical systems such as PDM or PLM.
This also makes it possible to manage the life cycle of the companies’ crown jewels, their intellectual property, seamlessly and much more securely than in the legacy systems. Because a central platform is easier and more effective to protect against cyber attacks and to shield against vulnerabilities than many legacy systems, if patches are even supplied at all.
Last but not least, JiVS IMP usually enables savings of 80 percent or more of the costs compared to the operating costs for legacy systems, which can be completely decommissioned.
- Price and availability
JiVS IMP is available now. The range of functions and price are determined specifically for the project.