In general, any organization must have an effective archiving policy in order to have easy and quick access to any desired information. It allows to determine the modalities of storage, access but also deletion of the data once the retention period is over.
How to define an archiving policy?
Like any action plan, an archiving policy involves asking the right questions.
First of all, companies must ask themselves about the needs of the organization.
This means determining the scope of archiving and the volume of data to be archived.
Of course, they must also ask themselves about the medium and format of the data and documents. A so-called hybrid archiving policy, i.e. both physical and digital, can make access to documents more complex in several years. It is therefore necessary to anticipate a possible need to have access to these documents, and to take into account the ability to sort the information.
Hence the importance of classifying these documents and detailing the classification process in order to identify them more easily.
Classifying documents also allows you to determine which information is sensitive, and thus limit access to only authorized people. To determine who is authorized to access the information, it is necessary to take into account both their level of accreditation and the degree of importance of the information.
It is therefore necessary to be fully aware of the notions of protection of information assets and confidentiality management.
It is also essential to be aware of the legal retention periods. Indeed, the organization may be subject to an audit by the administration or to legal action. As such, it must be able to present the requested documents, at the risk of suffering sanctions if it is unable to do so.
Thus, it is necessary to foresee how and when the data will be destroyed.
Compliance with retention periods necessarily entails a significant cost for the organization. It is therefore necessary to find a balance between the cost of storage and the duration of retention, while taking into account the consequences of the possible loss of information.
In order to build a solid and coherent archiving policy, the organization must also provide an archiving framework. This is a guide to good practice that allows companies to classify documents in the right place, detailing the management tools.
This framework includes all documents with a managerial or legal purpose, which must be retained, the archiving media provided, the people, departments or service responsible for archiving and the retention periods that apply to each purpose of treatment and category of data.
When accessing information, authorized individuals only need to follow the classification scheme to find the information they need.
Defining an adequate archiving policy is therefore part of the context of compliance with the GDPR and is part of the obligations of a data controller. It should be noted that retention periods and data security measures are fundamental steps of a compliant data processing.