Data retention policy
The EU General Data Protection Regulation (GDPR) replaces previous data protection directives and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy, and to reshape the way organizations across the region approach data privacy. GDPR enforcement commences 25 May 2018.
Under the GDPR, in the context of a Pure installation, Elsevier acts as a Data Processor and the customer as the Data Controller.
Controllers and processors are required to "implement appropriate technical and organisational measures" to comply with the GDPR, taking into account "the state of the art and the costs of implementation" and "the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals."
In order to ensure that the Pure application is GDPR-compliant and to help all those customers that will be affected by the EU GDPR regulation we have audited all relevant parts of Pure. This audit has been conducted thoroughly in liaison with Elsevier's GDPR audit team, and required Pure to pass several stage gates in order to be endorsed as GDPR-compliant.
The outcome of the audit is that the Pure application is fully GDPR-compliant from 5.11.0 release (Released February 2018).
Personal identifiable information in Pure |
|---|
Based on the GDPR audit undertaken, we have created a Personal Data Inventory for all properties and data elements in Pure that can capture Personal Identifiable Information (PII). In the personal data inventory we have also addressed suggested retention actions and if there is a related business rule in place for a retention action. We recommend that all customers affected by GDPR familiarize themselves with the Personal Data Inventory . (If the spreadsheet looks off, try and download the excel file rather than viewing it in your browser) |
Data retention actions in Pure |
|---|
There is no retention policy configured by default, so audit entries will not be pruned unless a retention policy is actively configured. As part of the GDPR requirements we have implemented two configurable data retention actions for audit log entries:
The configuration can be accessed via the Administrator > Data retention policy tab. |
Hosting - Recommendations for on-premise hosted customers |
|---|
|
For customers hosted by Elsevier, the hosting environment will be encrypted and GDPR-compliant before GDPR will come into force 25 May 2018. For on-premise customers we recommend the following to ensure technical GDPR-compliance of your Pure installation:
|
Elsevier supporter role authentication |
|---|
We have added a specific authentication mechanism in Pure so Elsevier support personnel are authenticated using their personal credentials and all actions performed on behalf of a customer are logged using the supporter's username instead of the "atira" username. The "Elsevier AD FS" authentication mechanism authenticates against the Elsevier federated Active Directory, ensuring that only authorized Elsevier support personnel can log in as a part of a support flow. Also any changes made by Elsevier employees will be audited using personalized credentials instead of the generic support user.
The authentication mechanism is activated by default. If the Pure installation does not have internet access or you deactivate the mechanism it will be necessary for you to create the support users manually for Elsevier supporters when necessary. |
