Keeping Archived Data Compliant

by | Jan 16, 2025 | Best Practices, Data Governance, Risk Management

The archived data – frozen in time. Immutable. Preserved. Unchanging …

until a new data privacy regulation takes effect.

Meeting Data Compliance Regulations

For many years data retention policies focused on the minimum amount of time that data needed to be preserved, but now data privacy regulations across the world are increasingly defining limits on how long companies can store personally identifiable information (PII) and in some cases dictating that the data must be localized to the country of origin. These regulations will not differentiate between production and archived applications, and therefore as part of your archiving operating procedures you must ensure that you are well prepared for meeting current and future regulations.

Firstly to keep my theoretical lawyers happy – what follows are my random thoughts only. Consult your own friendly lawyers/compliance department before planning to meet PII regulations!

Addressing PII compliance in an archived application will be more complex than a production application. Any utilities that were delivered with the original application will no longer be available, and the business and technical teams that truly understood the application and its data structures will have moved on to new positions. This means that it is critical to include planning for PII regulatory compliance as part of the application retirement process.

Planning for Compliance

To prepare for PII compliance each application being archived must be assessed to determine:

  1. What PII elements are contained in the application?
  2. What countries do the PII elements relate to?
  3. Where does the PII data exist in the application?
  4. How can the PII data be destroyed (purged/obfuscated) without damaging the integrity of the remaining data?
  5. How can the PII data be segmented to meet localization requirements?

This is clearly additional work to perform as part of the retirement process but must be done to avoid signifcant cost in the future. Identifying where in an application PII exists, developing and testing routines to elimiate that data requires significant application knowledge and funding, both of which are likely to be in short supply years down the road.

If your company has a comprehensive data governance policy that defines what data an application stores then this discipline should be extended to archived applications as well. This will greatly simplify the process of responding to future PII regulations.

If not, make sure that your archiving process captures the points above and that your documentation for archived applications is reviewed along with production applications each time new PII regulations are addressed.

Purge versus Obfuscate?

Unfortunately there is no right answer. Purging carries the risk of damaging the integrity of the database if not done correctly, whereas obfuscating may not meet all future regulations. Again, ensure that the decisions are made with input from your legal/compliance departments.

What is certain is that obfuscation must be at the database level, not at the reporting layer. PII compliance requires that the data is entirely removed not simply masked in reports that can be bypassed.

Additionally obfuscation is not a viable option for attachments that may contain PII. Documents such as resumes/CVs could be delivered in many different file formats and developing and testing routines to obfuscate from each one is impractical. Rule of thumb – purge attachments once PII regulations apply.

Localization

Many regulations require data to be localized to the country of data origin. This requirement must be considered when implementing an archiving solution or selecting a SaaS vendor to ensure that the application is capable of segmentation of data. As with the question of data destruction any tools that the original application offered to support this will not be available, so the capabilities of the archiving platform are critical.

Virtualization

Virtualization is the process of creating a vitual image of an application, its database and their operating systems. This allows for the application to be restored at a later time with the full application functionality … and data. Great from a quick and dirty archiving perspective, but still subject to PII regulations both for data destruction and data localization. In fact the localization challenge may be far greater for a virtualized application than for an application archived to a specialized platform.

Conclusion

Your data privacy obligations do not end once an application is archived, and a strong archiving practice will ensure that PII is documented during the archive process. Your exposure to penalties for having non-compliant archived data could equal the penalties for production applications, and the lack of planning for compliance could/will be considered a sign of bad faith by regulators.