The GDPR took effect over a year ago. In its first 12 months, the European Commission demonstrated strong yet measured implementation, with fines totalling over €56 million hitting 91 companies, including €50 million against a single organisation. A significant amount, yet a fraction of the full 4 per cent of companies’ total global revenue they could have levied – a difference of billions.
While it has, no doubt, continued to command its share of real estate in the headlines, exactly what it is, still remains misunderstood by many. In this article, we’ll dial in on some core tenants of the GDPR, how it’s being enforced, and what you can do as a system administrator to optimise compliance.
The GDPR says the subject of the data gets to decide which personal data companies can store. And before making such a decision, the subject should know why the company needs it, what they're going to do with it, and should be certain it will be stored properly. Among other things, "properly" storing personal data means you will ensure only those who need to see it will be able to see it, and that they will only be able to see it when needed.
Many feel the GDPR simply codified what many would consider to be industry best practices, and many of the regulations do indeed fall into the realm of system and database administration. There are five distinct ways that admins can help ensure their companies have properly complied with GDPR. Let's take a look.
Only those who need access to a given data set should be given that access. For example, a doctor should have access to their patient's medical records, but that does not mean all doctors should have access to all patients’ medical records. Of course, anyone without a medical reason to have access to a patient's medical records should not have that access.
System and database administrators can help their companies be more compliant by reviewing who has access to different data types and making sure only those who need access have it.
Once you ensure that only the appropriate people have access, make sure you have a process for deactivating accounts when no longer needed. Human resources and those dealing with contractors should have a process for notifying the appropriate team when individuals or groups access should be revoked. In addition, there should be some sort of periodic review to make sure that no one has fallen through the cracks.
Separation of powers
The more powers a system or database administrator has, the greater the "blast radius" if they do something wrong. This is why it is a very good idea to use role-based administration to separate various powers. For example, one administrator might be able to configure new backups and run them, but not have the ability to delete old backup configurations or old backups. Perhaps the ability to do restores is limited to only a few people. The more you can separate powers, the safer your data will be overall, and the safer personal data will be.
Encryption is strongly encouraged
In addition to having a solid intrusion detection and prevention system, you should consider using encryption for data at rest in case the system is ever circumvented. If a bad actor ever gains access to the data they are not supposed to receive, encryption makes it a nonissue. It should be considered for all personal data.
Backups are not optional
Backups should not be optional anywhere in the data centre, but when it comes to personal data and the GDPR, part of the regulation says that such data should be protected from erasure. The only way to properly do this is to make sure you have a good backup and recovery system.
Right to access and erasure
One of the most controversial aspects of the GDPR is an individual’s right to ask that their personal information be deleted if a company has no valid business reason to keep it. But it does not appear any companies have been fined as a result of an inability to comply with such a request. When it does happen though, the commission's history of fines in other areas suggest the severity will depend on how the company attempted to comply with the request. Did it completely ignore the idea of right to be forgotten, or is it simply unable to comply due to limitations of the technology being used? We still don't know how the commission is going to handle such a situation, and only time will tell what it's going to do in this scenario.
Therefore, as a data subject can ask to see all personal data you have of theirs, and can revoke the right to store that data at any time, a system should be in place to identify all places where personal data is stored to make it possible to comply with either of these requests. A concerned system administrator should also monitor how the GDPR decides these tenants apply (or not) to secondary copies such as snapshots and backups.
A good start
This article offers a high-level overview of a significantly more complex and nuanced regulatory framework. That said, the core areas covered are highly relevant starting points. Make sure you have a good backup, and only those who need access have access. Start there, and you’re on the right track. To get a broader handle on the GDPR, download The GDPR Compliance Guide for Business.
End of an era
For long-term compliance with GDPR, it is essential for a business to be able to successfully track data as it spreads so that the data can be protected and adequate records of where customer data is stored can be compiled. Cloud-based services can help an organisation build these records and automatically keep them up to date, whereas internal platforms cannot.
In the coming years, companies must take the core tenants of the GDPR more seriously than ever before, with robust, secure data governance at the foundation of virtually every aspect of business. Data governance in direct compliance with the GDPR is no longer an area where companies can come “close,” or “work towards.” The era of leniency will soon be at an end.
W. Curtis Preston, chief technologist, Druva