…don't search – find!
Document Lifecycle Management

How a Document Lifecycle Management supports you in the imple­menta­tion of the EU-DSGVO

The essentials in brief

What does Document Life­cycle Manage­ment (DLM) mean?

The idea of "document lifecycle" or "lifecycle management" was developed in the very early 1930s in the Unified States. The document lifecycle consists of the stages a record goes through from creation to archiving or deletion. The business requirements for effective information management change at each lifecycle stage of a document. When using a document management system, there must be support for each phase.

It begins with the capture or creation of a document, i.e. the entry into the DMS or ECM system. The subsequent phase of processing, for example within the framework of a workflow, is followed by archiving. The archived document is then available for research purposes and for further use. Modern DMS or ECM solutions make the archived documents available in a central, fully searchable database so that they can be called up at any time in a matter of seconds.

Although electronic storage or archiving is the longest phase in the document lifecycle, it is also limited. The minimum service life of documents is determined by statutory retention requirements. However, for many documents, especially those containing personal data, there is also a time limit within which they must be deleted. With the help of a DLM, the deletion of documents can take place automatically and in compliance with the law.

From the end of May 2018, the basic EU data protection regu­lation came into force. The rules for the protection of personal data laid down therein must be implemented by all companies. In many areas, bitfarm-Archiv document management (open source) can help to implement the requirements of the EU Data Protection Regulation.

Diagram of the DLM

Limited information use

bitfarm-Archiv DMS provides a comprehensive authorization concept for access to documents as well as metadata. This means that only those persons who need documents and information for their work have access to them. The assignment of authorizations is controlled centrally. These can be documented at any time (e.g. as part of the data processing directory) in the form of a report. The requirements "Privacy by design" & "Privacy by default" of the EU-DSGVO are met.

Documentation

Each data record in the document management system has a history function. If required, it can be tracked and documented at any time at whom, when and in what form information was used. The duty to provide information prescribed in the EU-DSGVO can thus be fulfilled on request. Important in this context: Each physical user must be assigned a unique user account in the DMS and collective accounts ("warehouses") must be dispensed with

Protection of personal data

The theft of personal data is not only an unfortunate incident but also a financial risk for the trader. In the case of the theft of personal data, a comprehensive obligation to provide information applies to all data subjects - actively and not only upon request. With bitfarm-Archiv DMS, however, it is possible to store documents and metadata encrypted on the server. If an attacker succeeds in accessing these data, they are not considered stolen according to the EU-DSGVO - the active obligation to provide information no longer applies.

Compliance with deletion deadlines

Deadlines for the deletion of personal data have not only applied since the EU-DSGVO. bitfarm-Archiv DMS automatically derives these from the document classes as deletion classes with automatic assignment of the deletion date. On the other hand, the status within an editing process defines the deletion date individually depending on the editing status. Here, too, automated rules apply, which are created in the DMS for the various documents and data that occur with a personal reference. The report function for all deletion rules, which is available at any time, simplifies the maintenance of the process directory considerably. Moreover, deletion periods are now clearly defined for all documents and processes - one of the core requirements of the EU-DSGVO can be implemented efficiently and documentably in this way.

Automatically on the safe side

The core task of a document management system or electronic archiving is not only the secure storage of documents, but also their timely deletion.

Assigning the correct deletion date to every document and every record is not an easy matter. The scenarios, conditions and legal regulations that influence these deadlines are diverse.

For instance, even a simple justification of an operational interest in a document can be sufficient to allow it to be stored for much longer than is actually intended for this type of document.

This might be the case, for example, as part of an application process. Legislation stipulates that the application documents of rejected applicants must be deleted within a period of three months.

If you want to return to a particular applicant at a later date, you still have the option of manually extending the deletion period for his or her documents. However, this requires the applicant's consent.

The Enterprise version of bitfarm-Archiv offers a comprehensive Document Lifecycle Management (DLM) to meet and document the legally required deletion deadlines for different document classes. The deletion periods can either be linked to the document class or to the specific workflow of business processes, i.e. they can be configured precisely for each scenario.

A user with administrative authorizations can intervene manually in the automated process at any time. A report function also documents all settings and facilitates the creation of the legally required documents (directory of processing activities).

Document lifecycle management in practice

Setting up the deletion date

A document management system regulates the retention periods of all electronic documents and automatically ensures their deletion when they are no longer needed.

In order for this to succeed, it is first necessary to define the lifecycle of documents in the DMS. Some documents may be kept for any length of time, while others - especially those containing personal data - must be deleted at a certain point in time. Several factors need to be considered here. On the one hand, legal retention periods apply, and on the other hand, operational requirements define the time of deletion. 

In corresponding specialist committees, the customer defines these requirements together with a data protection officer, which can then be configured by the administrator of the DMS.

In the simplest case, deletion periods are governed by document type. For commercial documents such as invoices, the legal retention period of 10 years applies. For building plans, on the other hand, the retention period is 30 years. Company formation documents should not be deleted at all.

DLM Active Elements

This can be set appropriately for each archive and document class via the administrator. The DMS assigns the deletion date already at the moment of archiving a new document. 

In the Viewer, i.e. in the "Storage and Archives" area, it is visible on the "Standard" tab for each document when the deletion date has been reached. There is a possibility of manual intervention for correspondingly authorized users. Clearing the deletion date will stop the automatic deletion. The predefined deletion deadline can also be restored for documents via the "Tools" menu.

Information about which documents are soon due for deletion is provided to the administrator via preconfigured bookmarks. It also shows which documents have already exceeded the normal retention period of the archive.

Archive Deletion date

Combining Workflows with the DLM

In many cases, however, the retention period of a document is also based on operational processes and cannot be defined in advance in a blanket manner.

Example: In human resources, applications for an advertised position are collected in the DMS. After expiration of the deadline, presentation and evaluation of the applicants, the decision is made in favor of a new employee. His or her application is now to be retained for as long as he or she works for the company. The other applications must be deleted within a reasonable period of time.

This is where the coupling of the DLM with the workflow of a DMS comes in. To symbolize the state of processing of a document in bitfarm-Archiv, the status buttons are used,

The administrator can use the button "DLM active elements" to provide each status button and many additional fields with functions to set the deletion period.

Deletion date

Here we set a deletion period of four weeks for the status "rejected". The status "hired" on the other hand clears the deletion date. Another button "talent" should also empty the deletion date.

Back to the applications that are still waiting to be processed. Setting the correct status is part of the processing and is done either directly by the decision maker or the relevant department, depending on the workflow. If an application has been accepted and the applicant has been hired, the status "hired" means that no deletion deadline is set.

Other applicants were rejected. Setting the corresponding status here causes the automatic deletion of the applications in 4 weeks. An applicant had to be rejected at the moment, but might be interesting for the company again in the future. Therefore, the HR department wants to keep his application and sets the status "talent". Although "rejected" is also active, the deletion is suspended because "talent" is higher in the priority.

Certainly a simplified scenario. Nevertheless, it shows how the deletion periods can be precisely controlled depending on the respective company process. The settings made in the various areas enforce compliance with data protection regulations. 

For companies above a certain size, there is a comprehensive documentation obligation regarding the handling of personal data. bitfarm-Archiv makes a valuable contribution here with the report of effective document retention periods, which can be created at any time at the push of a button. The creation and ongoing maintenance of the register of processing activities becomes - with regard to the DMS - child's play. Are you interested in a video demonstration around the topic? We glady invite you to our YouTube Series (please enable english subtitles).