Who is responsible after system shutdown?
By Emanuel Böminghaus, Legacy Systems Expert and Managing Director, AvenDATA
By Emanuel Böminghaus
Legacy Systems Expert and
Managing Director, AvenDATA
Managing Director, AvenDATA
Shutting down a legacy system is often seen as a technical milestone projects are marked as complete, interfaces are disconnected and servers are turned off. But what remains is the data. And with it, a critical question: who is responsible for this information once the original system no longer exists?
In practice, uncertainty frequently arises after decommissioning. IT departments no longer consider themselves responsible, business units lose access, data protection officers call for deletion, while compliance teams demand continued retention. This conflict can only be resolved if responsibilities are clearly defined early on and documented unambiguously.
Responsibility doesn’t End with System Shutdown
Even after a legacy system is technically decommissioned, the associated data remains relevant legally, operationally and organizationally. Business records, transactions, contracts and employee data are still subject to retention requirements, data protection regulations and potential audits. In short: the responsibility for this data shifts, but it doesn’t disappear.
A common misconception is that shutting down the system automatically transfers responsibility to IT or that IT’s role ends there. In reality, multiple stakeholders are involved, each with different perspectives and responsibilities.
The Role of an IT
IT is typically responsible for the technical aspects safely shutting down infrastructure, migrating or archiving data and managing access. Providing an archiving solution often falls within their scope. However, IT is not accountable for evaluating the content or its legal relevance. Their role is technical, not regulatory or business specific.
Responsibility of Business Departments
Business departments are responsible for the creation, use and interpretation of data even after a legacy system is shut down. They understand which data is relevant, what needs to be retained and what can be deleted. That’s why they must be actively involved in the archiving process, especially when defining data scope, access rights and retention periods.
After archiving, the responsibility for the content remains with the respective department, even if access is read-only. If this responsibility isn’t clearly assigned, it can lead to gaps particularly during audits or internal reviews.
Data Protection and Deletion Obligations
The data protection officer is responsible for ensuring compliance with storage limitations and the rights of individuals. Even after archiving, it must be guaranteed that personal data from legacy systems is not stored indefinitely and can be deleted or anonymized once retention periods expire.
This requires coordinated deletion policies and clearly defined responsibilities especially when deciding which data should be archived and which should be removed. Data protection responsibility typically lies with the business department, in consultation with the data protection officer not with IT.
Compliance, Audits and Legal Responsibility
Compliance and legal departments have a significant interest in ensuring that archived data from legacy systems remains complete, unchanged and accessible in the long term. They are accountable to regulators, auditors, and courts, and must be able to demonstrate the integrity and availability of historical information at all times. Reliable access to historical data is essential, especially in connection with financially relevant documents, regulatory audits or possible legal disputes.
To meet these requirements, compliance teams must work closely with IT and business departments to ensure compliance with all applicable legal, regulatory, and industry requirements. Ultimately, managing directors or board members can be held personally liable for violations of compliance requirements even many years after a system has been shut down.
Conclusion: Clear Responsibilities Prevent Costly Mistakes
Responsibility for data doesn’t end when a legacy system is shut down. It spans across IT, business departments, data protection and compliance and must be clearly defined. Without clear role assignments organizations risk regulatory violations, data loss and internal confusion.
Archiving is not just a technical task it’s a cross functional project. Only through clearly assigned responsibilities, coordinated processes and transparent documentation can organizations ensure that legacy data is handled properly securely, legally and reliably.
Planning to archive a legacy system?