Since the European Union’s General Data Protection Regulation (GDPR) came into force on Friday 25 May 2018, EU citizens, or data subjects, have more control over how organisations handle their personal data. The aim of the legislation is to provide greater protection and rights for individuals, ensuring transparency about data use, and the adherence to strict security measures and controls in order to properly protect it.
GDPR is not just a legislative exercise and IT teams shouldn’t assume that its implementation can be left to their legal departments. In fact, GDPR clearly specifies the rules and processes that organisations who collect EU residents’ data must put in place, and follow, to be compliant.
The GDPR headline changes
The daily gathering, processing, and exchange of personal information provides precious intelligence to businesses and public-sector organisations. While this data becomes increasingly valuable, particularly as more and more is collected, the various IT failures or data leaks that often make the headlines illustrate how difficult it is to deliver 100% data protection while ensuring it remains easily available to those who need it. GDPR therefore attempts to enforce a stronger regulatory framework for firms handling data, in order to minimise the possibilities of failures or abusive use of personal information.
The impacts of GDPR can be summarised in three main areas. To begin with, GDPR simplifies the regulatory framework, harmonising it across Europe. Instead of having to comply with 28 different sets of rules across the continent (ignoring Brexit for now), organisations will need to follow a single regulation throughout the region.
Secondly, GDPR represents an opportunity for these organisations to review their data flow. It’s a much-needed chance for many to tidy up and streamline their approach. Because the new laws demand a top-down approach with board-level support, GDPR will force organisations to decide if all of the data they are collecting needs to be saved and kept, or if it can simply be deleted.
Finally, the regulation demands all organisations meet a minimum level of data security, recommending techniques such as encryption, anonymisation, and pseudonymisation.
Organisations that will have to comply with GDPR
GDPR applies to all organisations that offer free or paying goods or services to EU residents, or data subjects. It also covers companies that have a physical presence within Europe.
The obligations will vary depending on the exact role of the organisation handling the data (data controller or data manager), but they will both need to know where the EU resident’s data is stored, understand how that data is processed, and start prioritising privacy and data protection. Those that don’t comply with GDPR will face heavy fines, which could be as much as 4% of the worldwide annual turnover or €20 million, whichever is more.
In order for GDPR to have the biggest impact, the regulation has a broad definition of what constitutes personal data. This goes as far as including private IP addresses, Internet of Things (IoT) information, or even a person’s favourite colour.
How GDPR will impact the IT sector
The IT sector must adjust too many fundamental changes as a result of GDPR, such as data protection by design. This concept incorporates data protection at the heart of any action that requires the processing of personal data. In other words, organisations will have an obligation to implement technical and organisational measures that demonstrate that they have considered and integrated data protection into their processing activities.
Individuals will also have a right for information, data access, rectification, object to, and to be forgotten. This means they will be able to access and rectify their data, as well as block its circulation. Another major feature is data transfer and portability. GDPR enables data customers to have access to their data for purposes of their own.
GDPR also re-writes an aspect of the existing legal framework by giving a stricter definition of consent to help ensure that a customer’s data remains their own. Consent to collect data will now have to be given in a far more explicit manner, so for example, pre-selected boxes on forms are no longer allowed.
As already explained, GDPR is not solely a legislative exercise; it has a direct impact on backup, archive, and disaster recovery (DR).
The practical side of GDPR
Data managers overseeing backup, archive, and disaster recovery all know that GDPR has a big impact on their day-to-day activities.
The legislation gives customers the right to be removed from the records of companies even if they have previously agreed to the collection and storage of their data. It’s called the ‘right to be forgotten’ and could be a potential stumbling block as organisations keep backup copies of their data. A request to have personal data removed, technically means that it should be removed from all copies including the cloud, or tape kept off-site in deep storage. Having to do this each time a request comes in, however, has been deemed excessive by those overseeing GDPR due to the logistical challenges it would throw up.
Below is Quantum’s recommendation on how to complete a removal request:
To keep on the right side of the legislation in this instance, organisations will have to clearly explain to the data subject that his or her data has been removed from production systems, but that a secure backup copy remains and that it will be removed after a certain amount of time. While the information still exists, it’s no longer active or accessible to anyone else.
As many organisations use backup archives to protect themselves from malwares, hackers are now switching their attention to disabling encrypted backup files before they go after the main systems.
This is why tape has emerged as the best solution to protect data against cyberattacks. It can be plan C, in additional support of plan B which includes standard disk-based backup (often with deduplication). The beauty of tape is that it guards data from online viruses while still being compliant with GDPR.
Disaster recovery is a must-have when it comes to protecting data, but it still needs to comply with GDPR, as outlined in article 32 of the legislation. This states that the appropriate technical and organisational measures must be taken to ensure a level of security appropriate to the risk. DR facilities, therefore, will also need to be GDPR-compliant as providers may be considered a ‘data processor,’ and could otherwise be open to prosecution.
Organisations should be careful how they implement encryption. There are already examples of data being “blindly” encrypted in the belief that it will be a quick fix to be compliant. However, that’s a mistake, or at least a risk. Encrypting data at the source instead of letting the storage encrypt it can impact massively on the infrastructure. If the data is encrypted, it can’t be deduplicated, so additional storage would be needed to store data and backups. Because of this, it’s better to let the backup target encrypt data so users can still benefit from dedupe.
A new era
GDPR is a landmark piece of legislation in favour of EU residents, and its impact is widespread. It forces data centres and organisations that handle data to take prompt action when asked to and place an increased importance on keeping personal data secure. Without adequate planning, and a clear understanding of how remain compliant, the legislators is unforgiving and the fines heavy.
Eric Bassier, Senior Director of Product Management and Product Marketing at Quantum
Image Credit: Wright Studio / Shutterstock