Due to GDPR regulations, we are not allowed to retain collected data longer than necessary. To comply with these regulations, you can now define retention periods for specific data in Spend Cloud. In this article, we will explain step by step how to configure and use the 'Data Retention' functionality.
There are three options for Data Retention within the permissions in Spend Cloud. An administrator can assign these permissions to a permission set by navigating to Application Management / Organization / Permissions.
- View
When 'View' is assigned, the user has access to the overview and can view all data.
- Edit
When 'Edit' is assigned, the user can modify the retention periods.
- Review
Once a rule has been edited, it must be reviewed by another user. Users with the 'Review' permission have the ability to review the rules and thereby activate or terminate the set retention period.
Once the retention date has passed and the data is deleted, this data cannot be restored. Therefore, exercise with caution when granting edit and review permissions.
Viewing Retention Periods
You can access the data retention overview by navigating to: Application Management / General / House keeping.
Upon opening this overview, you immediately see all retention periods. The details are organized by modules and subitems. This provides a structured overview of all retention periods. For now, only the 'Emails' section within Invoice Processing is available. The set retention period for this item applies to all emails sent within the Invoice Processing module. When the retention period expires, these emails will be deleted from Spend Cloud. Over time, retention periods will become available for multiple modules and subitems.
Image 2: Data Retention - Show
For example, you can choose a retention period of 7 years.
Activation
By default, all rules are deactivated, so we will never delete data without review. To activate a retention period, we have implemented a workflow. After a user has modified the data, another user (with the appropriate rights) must then review these changes. This ensures that data is not deleted "accidentally."
You can activate a data retention rule by navigating to the editing page. This page is accessible by clicking the "Edit" button in the upper left corner of the overview.
Setting the Period
To activate a retention period, you must first enable the period on the editing page. You can do this by clicking "Yes" in the "Enabled" field. Only when "Yes" is selected will the drop-down list for "Retention Period" become active.
Using the dropdown fields, you can specify the retention period. For example, if you select "2 years," Spend Cloud will delete all emails older than two years. When you click the "Save" button, the details will be sent to the relevant reviewers. They must then review and approve or reject the changes.
Image 3: Data Retention - Edit
The following data cannot be modified on the editing page:
Status
This value indicates the status of a rule. The default status is "Inactive." When the retention period is updated, the status changes to "To Review." If the retention period is approved, the status changes to "Active."
Created
This field shows the date, time, and user who initially set the retention period.
Modified
This field shows the date, time, and user who edited or reviewed the data retention rule (all changes after the initial update).
To update the retention period, a different reviewer must be involved than the user who updated the rule. If no reviewer is available, the rule cannot be edited. Rules cannot be updated if they are awaiting review (status = "To Review"). This also applies to the other rules within the module. If you want to deactivate an activated rule, you must select "No" in the "Enabled" field. After saving the rule, the change must still be reviewed, and after approval, Spend Cloud will stop deleting the data.
Assess
The assess overview is accessible by clicking the "Assess" button in the upper left corner of the display page. This button is only active if the user has review rights and when data is actually up for review.
In the assess overview, two options are available:
Click on the "Show" icon. This navigates you to the display page.
Click on the "Assess" icon. This navigates you to the review page.
Image 4: Data Retention - Review
The assessor is responsible for checking the information within the data retention rules. After the review is performed, the assessor can use the yellow marker to indicate whether the rule can be approved, disapproved, or put on hold. If "Disapprove" or "On Hold" is selected, a remark must be provided for the chosen action.
When the rule is disapproved, Spend Cloud will not delete the data from the rule. The rule now has the "Inactive" status and can potentially be edited to set a different retention period. If you want to verify the data with management or the board first, you can put the rule "On Hold." The status changes to "On Hold." Spend Cloud will not delete data yet, even if the specified date has passed. Data will only be deleted once the rule is approved.
If you find no issues with the rule, select "Approve." The status of the rule changes to "Active." After the retention period expires, Spend Cloud will begin deleting the data.
After the specified retention period expires, Spend Cloud will only delete data under the following conditions:
- "Enabled" is set to "Yes."
- The retention period is approved.
- The status of the rule is "Active."
The user who set the retention period cannot review the rule (the review button is inactive). The review must always be done by a different user than the one who created the rule.
Workflow History
At the bottom of the rule, the workflow history is visible. This overview shows information about changes in the rule, such as:
- Status changes
- Approval
- Rejection
- On Hold
- This includes details about the status, offered to, sent by, date, and comments.
Mutation Overview
The mutation overview is accessible by clicking the "Mutation Overview" button in the upper left corner of the display page. This overview provides all historical changes within "Data Retention" (update and review values). This overview shows when the changes occurred and what the changes were.
Image 5: Mutation Overview