What are the implications of GDPR for digital archiving?
April 25, 2018 • 8 min read
On the surface, digital archiving and the EU General Data Protection Regulation (GDPR) can seem like uneasy bedfellows.
Digital archiving allows organisations to keep a long-term record of all their web and social media communications (of which can include personal data). The other requires them to follow strict rules around the processing of personal data, including rules for data retention and the right to erasure.
For users - and would-be users - of digital archiving solutions, this is bound to raise a few questions. Is digital archiving exempt from GDPR? Is it fundamentally incompatible with the new rules? And where does this leave website and social media archiving?
In this blog, we look at the implications of GDPR for digital archiving, as well as how users of digital archiving solutions can protect themselves against future compliance risks in the EU’s new data protection landscape.
A recap - what brought us to this point?
The issue of data misuse and responsible marketing was thrust into the headlines in 2018 by the Facebook – Cambridge Analytica scandal.
Data mining and the use of algorithms to target campaigns is nothing new. However, controversy surrounded British consultancy Cambridge Analytica when it was revealed that it had acquired the data of approximately 87m Facebook users through 270,000 of them accessing a Facebook app called ‘This is Your Digital Life.’
By giving this third-party app permission to acquire their data, back in 2015, this also gave the app access to information on the users’ friends network. This resulted in the data of about 87 million users, the majority of whom had not explicitly given Cambridge Analytica permission to access their data, being collected. The app developer breached Facebook’s terms of service by giving the data to Cambridge Analytica.
If that wasn’t enough, around the same time four dreaded letters were implemented across all companies: GDPR. Standing for General Data Protection Regulation, the GDPR was brought in across the EU and in the UK it replaced the antiquated Data Protection Act. Bringing in new rules for how public organisations and businesses handle clients’ data, it also gives individuals greater control over how their information is used.
The risk of falling foul of data protection rules is severe and regulatory bodies have been very active in this field.
In 2018 alone, the Information Commissioner’s Office (ICO) issued the largest amount of civil monetary penalties in its history in relation to data protection. In total, the ICO issued 26 fines equalling £3.28m across companies of all sizes and oversaw 19 criminal prosecutions (resulting in 18 convictions).
Suddenly, marketing departments are having to think more proactively about how they use client information while marketing effectively.
Is digital archiving GDPR-compliant?
Firstly, digital archives are not exempt from GDPR. If an archive contain information that meets the GDPR’s definition of personal data (data on an identified or identifiable living person), they are covered by the new rules. However, the practice of archiving and retaining this information in the long term - such as for decades or longer - is not, by itself, GDPR non-compliant.
For one thing, there are no minimum or maximum periods for data retention specified in GDPR. Organisations must simply keep hold of data “for no longer than is necessary for the purposes for which it is being processed”. In most cases, such as where archives are kept to meet compliance needs (such as those driven by ESMA, the FCA, MiFID II), there’s a clear requirement for capturing and retaining this data for the long-term.
Alongside this, much has been made of GDPR’s “right to be forgotten”). In reality, however, the right isn’t absolute - many organisations will have a legal requirement or other legitimate grounds to continue processing a person’s data even if that person requests otherwise. This is because GDPR also requires them to protect data against “accidental or unlawful destruction”.
GDPR-compliant archiving: A checklist
The first set of questions you should ask are - what channels are we archiving and of these channels, which contain personal data?
Online channels such as websites are public facing and therefore contain a minimal amount of personal data, the same can be said for social media posts, however, social media comments or particular posts which may be centered around customers could potentially open up the risk of GDPR non-compliance.
“The arrival of the GDPR, CCPA and other data regulations marks not just a regulatory regime change, but an increased focus and interest from consumers on the value and treatment of their personal data. To respond, marketers must build trust early in the customer lifecycle, earn permission to access valuable information to use for personalisation, and use that data for the customer’s benefit.”
- Ian Lowe, Vice President, Crownpeak
Fundamentally, organisations that have legitimate reasons to archive online channels are safe in doing so, however, users and would-be users of digital archiving solutions should take the necessary steps to ensure their archiving solutions are fully compliant and that they have documented processes as to how they've met GDPR requirements.
Take the three considerations below:
1. Work with GDPR-compliant suppliers
One of the changes introduced in GDPR is that any third-party suppliers used by an organisation to process personal data on EU citizens - such as cloud software or infrastructure suppliers - are now also liable for data protection compliance, and can be fined or penalised directly for infractions.
However, that’s not to say organisations can wash their hands of GDPR compliance where a third party is used to process personal data. Article 28 of GDPR states they must “use only processors providing sufficient guarantees ... that processing will meet the requirements of this regulation”.
In simple terms, unless an organisation ensures they only work with digital archiving suppliers who are GDPR-compliant, and can demonstrate compliance to a sufficient standard, then their own compliance may be cast in doubt.
2. Conduct an audit of the channels you're archiving
Meeting the spirit of the regulation is very much about demonstrating the steps you've taken to comply and ensure fair treatment of personal data. Therefore, the best place to start is to conduct a complete review of all archiving channels (or the channels you're looking to archive) and then determine where risks may be present.
Once you've mapped this out and formalised where personal data may be captured, you can now formalise the legalities behind why capturing and retaining this data is necessary. Bringing your legal team into the process will help provide further clarity and ensure you've taken sufficient steps to comply with the regulation.
3. Keep your web and social media data secure
One of the key principles of GDPR is, of course, protecting personal information against loss or disclosure. Specifically, Article 5 of the regulation states that personal data should be “processed in a manner that ensures appropriate security … including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
While there’s no single prescribed set of technical or organisational measures an organisation needs to implement to comply with GDPR, a good starting point when working with third-party suppliers is to look for compliance with ISO27001 - an internationally recognised best-practice benchmark for information security.
“GDPR has probably slowed us down on the journey we were on, but the output is much more usable. You and I trust our bank to hold our money. “We’ve probably never dug into how secure that bank is – we just trust them because they are our bank. But we know the value of that relationship and we trust them to do that job.”
- Richard Cooper, Head of Digital & eCommerce, AXA PPP Healthcare
4. Uphold your users’ access rights
Finally, in order for an organisation to uphold the full range of new rights for individuals introduced in GDPR - which include the right to access, right to rectification, right to erasure and right to portability - it’s important that any data stored in the archives is easy to retrieve, with metadata that can be updated, and downloadable in an accessible format.
This can be a complex set of demands where large data sets are concerned, as an extensive digital archive may not be easy to index and search - so organisations should ensure any third-party suppliers they use can provide the right level of functionality in their frontend management portal as well as in the process of archiving itself.
Overall, there’s no doubt that GDPR is complex and presents some unique challenges when it comes to archiving personal data. However, by ensuring you understand your responsibilities and those of your third-party suppliers, compliance is entirely possible.