Cybrain - Fotolia
In this podcast, ComputerWeekly.com storage editor Antony Adshead talks with the CEO of Vigitrust, Mathieu Gorge, about the key developments to expect in legal and regulatory compliance in 2017. These include the European General Data Protection Regulation (GDPR) and likely changes to the legal and regulatory environment in the US.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Antony Adshead: What are the key developments in data retention and compliance that we need to watch out for in 2017?
Mathieu Gorge: The first regulation we need to look at is the European GDPR, which needs to be complied with by May 2018 but which is already getting a lot of traction in 2017.
As an organisation or entity subject to the EU GDPR, as it is known, you need to be prepared and have fully in place a number of policies and procedures, technical solutions and training around data privacy, privacy impact assessments and, generally speaking, how you protect data pertaining to any type of data described as personal data within the regulations.
That covers personal information, credit card information, IBANs, any type of banking information, as well as health information.
With that comes the issue of data transfer, which is currently being incorporated into the privacy shield that was unveiled in 2016 but which is still being changed and will gain very big traction in 2017.
Finally, I think we need to be prepared for some new regulations in the US, where there is going to be a new government in place from January onwards.
The president-elect has already said that with regard to cyber security, data retention, data transfer and compliance, some of the existing regulations will be changed, potentially even completely done away with and replaced with some new, stricter regulations.
Primarily, these will be around data sovereignty and data transfer, not just within the US but from outside into the US.
So, it’s going to be a very busy year from that perspective.
Adshead: Looking at these, what implications for storage and backup will they bring?
Gorge: Well, once again we go back to basics. Most of the security experts in the industry will tell you that you need to start mapping your data so you know which data to keep, how to keep it, how to store it and for how long – there comes the concept of data retention – and that varies, obviously, from one jurisdiction to another.
Some of the key advice can be obtained in Europe from the Information Commissioner’s Office in the UK or the Office of the Data Protection Commissioner in Ireland, for example. But also in the US from the National Institute for Standards and Technology (NIST) with regard to new items that came out around data storage.
Read more on storage and compliance
- Vigitrust’s Mathieu Gorge reports from Web Summit 2016 on the explosion of data that comes with the internet of things and its implications for data storage and compliance.
- Data classification is key to efficient storage, security and compliance. In this podcast, Vigitrust’s Mathieu Gorge talks about the fundamentals of a data classification policy.
From a technology perspective, we are moving away from a network-centric security strategy into data-centric technology, so you’ve got new solutions such as Ionic, which allows you to, essentially, manage the data from a data value perspective and from a storage perspective, based on the data itself rather than where the data resides.
We are seeing a lot of new technology around tokenisation and de-valuing the data, such that you end up storing the tokens as opposed to storing the data, which is inherently more secure and easier from a compliance perspective.
From the backup perspective, however, that throws up some new challenges, because you need to be able to reverse-engineer the data securely, for example, for e-discovery purposes.
From an encryption perspective, we are also seeing some changes as regards focus on data in use as opposed to data in transit or data at rest.
So, again, I think that going back to the basics, we need to map out the data and then, from that mapping, understand where the data flows to and where it comes from, and apply the right level of technology to store only the appropriate level of data, dispose of the data the right way, and encrypt the data we need to work with.
And the best way to do it is to only keep the data you need. If you don’t need it, don’t store it. That will make your storage and backup challenges way easier to deal with in 2017 and beyond.