This article can also be found in the Premium Editorial Download "IT in Europe: Compliance and risk."
Download it now to read this article plus other related content.
With the rapid growth of data within organisations and the upcoming changes to the EU data protection regime, businesses need to become more proactive about their data storage strategies from a compliance point of view.
To do that, businesses need to understand the EU data protection regulations they must comply with and their implications for data storage.
Data storage regulations in Europe are currently driven by provisions of the EU Data Protection Directive and their respective applications in member states, by provisions relating to national directives around retention periods for financial information and by other requirements stemming out of freedom of information frameworks as well as electronic commerce, cookie and e-discovery requirements.
The current EU data protection regime requires organisations to take “appropriate security measures to protect personal data.” It is based around eight principles driving the data protection regime that dictate how personal data must be acquired, maintained, updated, stored, protected and disposed of.
Changes to the EU data protection landscape are driven by the upcoming EU Data Protection law due out this year or next. This EU data protection regulation will be implemented at national level by member states in the subsequent 24 to 36 months.
It is already clear that the EU data protection reform includes far-reaching proposals that will affect organisations that hold data on individuals, including the burgeoning cloud storage sector.
The first thing to note is that the regulatory framework is moving to a single regulation for the EU and is trying to keep up with a shift in which more data is kept in the cloud and therefore managed by a third party other than the original business that collected it, usually known as the data controller.
In data protection jargon, this means that the cloud provider becomes a data processor and it must protect the information it handles and stores on behalf of the data controller.
The responsibilities of data controllers will also increase. They’ll have to put policies and procedures in place. Data controllers will have to demonstrate they have carried out staff training and checked that data processors are also “taking appropriate security measures” to protect personal data pertaining to customers, employees and contractors.
From a cloud perspective, there will be a right to be forgotten and to data portability. This means that cloud providers will be required to delete information about a person or business if they request it to, and the person or business will be allowed to move data from one cloud provider to another.
There are other regulations and parameters to keep in mind:
- Using a cloud provider based outside the EU. Right now the EU provides strong protection for personal data. If data belonging to EU businesses or citizens is stored outside the EU, the transfer of that data needs to be secure with data protection requirements at the other end at least as strong as those in the EU.
- Data retention. Some specific sectors and/or regions require data to be kept for a long time. For instance, in some regions financial services organisations may need to keep call recordings or tax information containing personal information
- Industry standards. Standards such as PCI DSS provide additional requirements on what type of cardholder data may or may not be stored and how it is to be protected.
Implications for data storage in cloud environments
If you plan to use a public, private or hybrid cloud there are compliance implications.
- If it’s a private cloud, you’ll be the processor and controller from a data regulation perspective in most cases. That means you’ll have full control over the data and can protect it appropriately.
- If you are using a public or a hybrid cloud, you need to make sure you fully understand the security measures put in place by your cloud provider. Now more than ever is the time to actually read the contract. Watch out for liability restrictions imposed by the provider.
- You need to make sure your cloud provider actually has the appropriate level of security in terms of policies and procedures, as well as technical solutions staff training to make sure the data the provider is storing on your behalf -- which could be data that you’re handling on behalf of a third party -- is protected the right way.
Be prepared for requests from customers to move data away from you. Consider the potential for e-discovery. You need to make sure you know what data you are actually storing, for whom and who’s doing that on your behalf if you use a third party.
Operating in the cloud with regard to compliance is all about building a trust relationship with the provider and taking ownership of management of data so that you are in full control and you can comply with the new regulation.
Steps to data retention
To establish appropriate data retention policies, start with a clear data classification scheme. Data classification is how you organise data in your organisation so the right people have access to the right data at the right time.
Organisations might want to classify data from a user-based perspective, from a security-based perspective or from an operations perspective, and the way you do this is by ensuring the right data is accessible by the right people at the right time. This eventually allows organisations to only store the right data in the right place -- with appropriate security -- and for the right duration.
Technologies and processes for storage compliance
To determine the best route for ensuring regulatory compliance for storage, start from a high level and to draw up ecosystem diagrams that map out the different silos and business units within your organisation and the wider enterprise. Once you’ve done that, you can map the data flow within each of the silos and each of the actors in your ecosystem. Ensure this mapping includes devices owned by employees but that may be storing business data.
From that arises a data classification scheme that takes every type of data pertaining to customers, users, suppliers, etc, and allows you to apply the right levels of protection, storage and access.
This is then complemented by a three-level structured data storage approach:
- Policies and procedures. These must adhere to the provision of all legal and industry regulations and frameworks that apply to your organisation and the data it stores, transmits or processes.
- Technical solutions. These can include content filtering solutions preventing unauthorised data from leaving/entering your ecosystem, data encryption tools, data mining solutions, access solutions to ensure only the right people have access to sensitive data, data masking and data disposal solutions.
- User training. This includes data protection training for processors and controllers, technical training for IT staff, C-level training on the impact of noncompliance with regards to data storage, business continuity training and testing to ensure your organisation is ready to address an e-discovery request or to implement the right to be forgotten and portability provisions of the upcoming EU regulation.
The above structure needs to be maintained and updated constantly as regulations around data storage keep evolving and regional differences apply within the EU. Foreign laws may also apply to how your organisation must protect data it stores.
Forthcoming challenges with social media
Businesses are advised to keep an eye on personal data stored on social media sites. In cases where personal data pertaining to your customers or employees ends up on social media sites, legal, operational and security implications may be quite disruptive to the business. This is why it’s important to map your ecosystem in full, up to and including social media sites. Your organisation may not even be aware that some of the personal data in its custody ends up on social media but it needs to check and take corrective action. Reputation management tools can scout for such information to allow you to address the issue.
Mathieu Gorge is CEO of Vigitrust.
This was first published in August 2012