Skip to main content

Avoiding a GDPR horror story

(Image credit: Image Credit: Docstockmedia / Shutterstock)

Halloween is all about being scared. For many businesses this year the biggest fear has arguably been the implementation of the GDPR regulation. Who would be the first business to be caught unprepared? Who would pay the first hefty fine? The ghoulish GDPR applies to all companies and organisations that use or store the personal information of EU citizens, no matter where they store that data – in the EU or outside of it. 

The regulation specifies that any data collected belongs to the individual rather than the company holding the data. This means any and all individuals have the right to access their personal data, request changes to it, and have the right to erasure (the right to be forgotten). And if the organisation in question can’t give a legitimate reason as to why it should be able to keep that data, the individual can ask for it to be deleted immediately – a scary task if you’re unprepared to undertake it.

It’s easy then for organisations to find themselves in the midst of a GDPR horror story, particularly if said organisation doesn’t have a clear view of its data and its locality. So, what are business up against, and how can they avoid a GDPR nightmare?

Fines that can kill a business

Arguably one of the more serious consequences facing an organisation for a GDPR breach is the heavy fine. Customers and individuals now have the right to compensation if their data rights are violated – organisations can only hold information for as long as required. In many cases, to ensure personal data is not compromised, appointing a Data Protection Officer (DPO) may be mandatory.

Any sort of breach of GDPR needs to be reported to the relevant authority within 72 hours of the organisation becoming aware of the issue. As such, if the organisation fails to do so, it could become subject to a penalty fine of as much as €10m or two per cent of its global turnover. Additionally, if a company negligently or intentionally violates GDPR, it can be hit with a fine of up to €20m or four per cent of turnover – the thought alone is terrifying.

The main challenge for companies is interpreting what the new regulations mean to them and understanding what to do to stay in compliance. Knowing what data they’re storing and ensuring there is a legitimate reason for holding it is essential to meeting the regulatory requirements.


This means data needs to be:

  • Processed lawfully, fairly and transparently;
  • Collected for specified, explicit and legitimate purposes;
  • Relevant and limited to what is necessary;
  • Accurate and up to date;
  • Retained for only as long as necessary;
  • Processed in an appropriate manner to maintain security.

Object storage – the silver bullet

Being able to meet all those requirements can seem like an impossible task, but there is one silver bullet that can help ease the strain – object storage. Object storage has already proven itself as a key storage method in hybrid cloud computing and long-term data archiving, and it has a number of capabilities that can provide real advantages when it comes to tackling GDPR:

  • Customisable metadata tags – When it comes to searchability — namely making information easy to find — traditional file systems only allow companies to view limited metadata information on a file, such as who the owner is or the date it was created. In the flat file structure of object storage, each object has a ‘unique identifier’ – essentially a tag that can be used to find information via a Google-like search. These tags are limitless, so data requests are quick and easy.
  • Scalability - Consolidated data is easier to search and therefore check for any duplicate records. The limitless capacity of object storage makes it feasible to consolidate data across multiple platforms, including clouds, into a single, searchable pool. As a result, an organisation can expand without disruption and remain confident that its data is easily locatable should it need to prove compliance with GDPR.
  • Data protection – Most object storage solutions have configurable data protection that lets organisations select the durability they need. For example, customers may choose on-site protection or replicate across sites for disaster recovery purposes, all on a single management screen with no additional software to buy. With data protection features such as erasure coding, replication and multi-tenancy (to segregate users and groups), organisations are able to ensure data can still be retrieved no matter what Geo-location – Where data is physically located matters. Many governments require that certain data types either remain on-premises or within geographic boundaries. Object storage offers a unique solution: A single storage system that can span multiple locations but hold data at a specific location within that system. That’s important because all data is searchable within that single system and one can still meet local compliance requirements. And all this can be accomplished on a standard system, with no add-on management software.
  • Compatibility with backup solutions – Many popular backup solutions work with object storage. That fact, combined with object storage’s limitless scale, means it’s possible to back up all servers and storage to a single, searchable pool. 
  • Lower costs – Object storage platforms can provide up to 70 per cent lower total cost of ownership (TCO) than existing file storage. They can also reduce management overhead by 95 per cent and deliver a 30 per cent reduction in power/space/cooling.

In addition, developers view object storage favourably because it employs the same communication protocol that is used to communicate with cloud storage - the S3 API. This API is recognised as a simple, effective, and very reliable way to address storage, which has led to it being widely accepted as the  de facto standard API for both cloud computing and hybrid cloud computing when employing an on-premises solution such as object storage.

At the end of the day, it’s not an easy task for organisations to meet the many rules of GDPR compliance, but the hard and chilling fact is that there is no choice. It is vitally important that organisations and businesses make sure their data is protected, available and searchable, so they can enjoy a Halloween of treats rather than tricks.

Neil Stobart, Vice President, Global Systems Engineering, Cloudian
Image Credit: Docstockmedia / Shutterstock