On the surface, digital archiving and the EU General Data Protection Regulation (GDPR) can seem like uneasy bedfellows. One allows organisations to keep a long-term record of all their web and social media communications, including those that contain personal data. The other requires them to follow strict rules around the processing of personal data, including rules for data retention and the right to erasure.
For users - and would-be users - of digital archiving solutions, this is bound to raise a few questions. Is digital archiving exempt from GDPR? Is it fundamentally incompatible with the new rules? And where will this leave our web and social media archives come May 25th?
In this blog, we look at the implications of GDPR for digital archiving, as well as how users of digital archiving solutions can protect themselves against future compliance risks in the EU’s new data protection landscape.
Is digital archiving GDPR-compliant?
Firstly, digital archives are not exempt from GDPR. So long as they contain information that meets the GDPR’s definition of personal data (data on an identified or identifiable living person), they are covered by the new rules. However, the practice of archiving and retaining this information in the long term - such as for decades or longer - is not, by itself, GDPR non-compliant.
For one thing, there are no minimum or maximum periods for data retention specified in GDPR. Organisations must simply keep hold of data “for no longer than is necessary for the purposes for which it is being processed”. In some cases, such as where archives are kept to meet other compliance needs (MiFID II, for example), there’s a clear argument that long-term data retention is necessary.
Elsewhere, much has been made of GDPR’s new right to erasure (also called the “right to be forgotten”). In reality, however, the right isn’t absolute - some organisations may have a legal requirement or other legitimate grounds to continue processing a person’s data even if that person requests otherwise. After all, GDPR also requires them to protect data against “accidental or unlawful destruction”.
Talk to our archiving experts now to understand the implications of GDPR for YOUR digital archive.
GDPR-compliant archiving: A checklist
That said, even where organisations have valid reasons to archive their web and social media data, users and would-be users of digital archiving solutions should still take steps to ensure their archiving provision is fully compliant with GDPR.
Take the three considerations below, for example:
1. Work with GDPR-compliant suppliers
One of the changes introduced in GDPR is that any third-party suppliers used by an organisation to process personal data on EU citizens - such as cloud software or infrastructure suppliers - are now also liable for data protection compliance, and can be fined or penalised directly for infractions.
However, that’s not to say organisations can wash their hands of GDPR compliance where a third party is used to process personal data. Article 28 of GDPR states they must “use only processors providing sufficient guarantees ... that processing will meet the requirements of this regulation”.
In simple terms: unless an organisation takes care to work only with digital archiving suppliers who are themselves GDPR-compliant, and can demonstrate that compliance to a sufficient standard, their own compliance may be cast in doubt.
Find out about MirrorWeb’s commitment to GDPR compliance here.
2. Keep your web and social media data secure
One of the key principles of GDPR is, of course, protecting personal information against loss or disclosure. Specifically, Article 5 of the regulation states that personal data should be “processed in a manner that ensures appropriate security … including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
While there’s no single prescribed set of technical or organisational measures an organisation needs to implement to comply with GDPR, a good starting point when working with third-party suppliers is to look for compliance with ISO27001 - an internationally recognised best-practice benchmark for information security.
3. Uphold your users’ access rights
Finally, in order for an organisation to uphold the full range of new rights for individuals introduced in GDPR - which include the right to access, right to rectification, right to erasure and right to portability - it’s important that any data stored in their archives is easily to retrieve, update metadata, and download in an accessible format.
This can be a complex set of demands where large data sets are concerned, as an extensive digital archive may not be easy to index and search - so organisations should ensure any third-party suppliers they use can provide the right level of functionality in their frontend management portal as well as in the process of archiving itself.
Overall, there’s no doubt that GDPR is complex and presents some unique challenges when it comes to archiving personal data. However, by ensuring you understand your responsibilities and those of your third-party suppliers - and any changes you need to make to uphold them - compliance by the May 25th enforcement date should be entirely possible.
Want to find out more about MirrorWeb’s commitment to GDPR, and how our web and social media archiving solutions are helping our customers comply? Get in touch today for a free consultation.