tashka2000 - Fotolia

GDPR brings serious implications for data storage

New European Union data protection regulations put tough requirements on organisations that store “personally identifiable data”. We look at what is needed to achieve compliance

In less than 12 months, new legislation comes into place across the European Union (EU) that will radically change the terms of use for personal data.

The General Data Protection Regulation (GDPR) is a significant upgrade and replacement for previous data protection rules, known as the Data Protection Directive.

As a regulation, GDPR comes into force automatically – irrespective of the UK’s Brexit plans – and, with significant punitive damages, it is something any organisation that does business with EU citizens cannot ignore.

The Data Protection Act was introduced in 1998 in the UK, and it worked in a very different world to the one we see today. At the time, Google didn’t exist. The company was founded in September 1998 – the act was introduced in July. There was no Facebook, Twitter, Snapchat or Instagram either.

The rules of data protection, which covered the storage and processing of personally identifiable information, applied to the most obvious data – the kind stored in databases that could identify an individual, such as names, photographs and addresses.

We now live in a world that, for the majority of people, is based around mobiles and smartphones. From a handheld device, it’s possible to shop online, order pizza or book a taxi.

An individual can be identified by metadata related to their mobile device or desktop, and companies such as Google increasingly collect and collate this information to provide more accurate and targeted advertising.

Bearing all this in mind, it’s easy to see that the previous data protection rules are no longer fit for purpose.

Rights of the individual

GDPR introduces a completely new regime in terms of data protection. The balance of ownership of personal data shifts from the company to the person, with greater rights for the individual to decide how corporations use their data.

Where previously the rules defined personal data as anything that could be used to identify a “natural person”, under GDPR the definition is extended to include other metadata, including IP addresses, mobile IMEI numbers and SIM card IDs, as well as website cookies and biometric data.

Many companies use the data they collect on individuals to build up profiles of information that can be used in selling, such as in targeted advertising, as well as making decisions about credit worthiness or even what search results the user sees when shopping.

Under GDPR Article 22, the individual will have the right to challenge the way these algorithms work and the decisions they make. This introduces a new approach to seeking consent, as businesses must get permission to use personal data and to process it in certain ways.

Article 17 of GDPR introduces the “right to be forgotten”. Unless a business or organisation can show a legitimate reason to retain an individual’s data, that person can request the information is deleted by the business without “undue delay”, which may represent a significant challenge for many organisations.

Under Article 28, GDPR introduces the concept of a data processor. This extends the idea of the data controller introduced under previous legislation and describes another organisation or business that collects and processes data on behalf of the data controller.

This could refer to bureaux or marketing agencies that collect and maintain mailing lists, but it could also equally apply to companies that store data, which may include public cloud providers and backup archives (companies such as Iron Mountain that handle tape media).

Data processors are equally responsible for managing data as the data controller, which could bring some unique challenges.

Stricter enforcement of breach notification

What happens if things go wrong? Under the Data Protection Directive, individual member states could adopt their own rules that cover breach notifications and penalties.

Under GDPR, these rules are now standardised across the EU and have been significantly toughened. Any breach must be reported to a local supervisory authority within 72 hours of the business being aware of the issue.

Failure to notify can result in a penalty fine of up to €10m or 2% of global turnover. Negligent or intentional violation of GDPR can result in a fine of up to €20m or 4% of turnover.

Anyone who thinks the EU wouldn’t use these powers just has to look at the €2.4bn fine recently issued by the EU to Google for favouring its own results in internet shopping searches.

GDPR and you

What issues will businesses and their IT organisations face? The first and most obvious problem is how to know what personal data exists in the organisation.

Around 20 years ago, pretty much all data – excluding that held by bureau services – was stored in the corporate datacentre. Today, that data could be in multiple locations, stored on the edge in branch offices as well as in the public cloud.

Critically, personally identifiable data could exist outside primary systems. This could be any copy that has been used for test or development and not properly cleansed or obfuscated. It also refers to backup data, which clearly has personally identifiable information in it.

A clear first step is being able to identify all data created and owned by the business, wherever it resides.

The second step is to be able to highlight user-identifiable data. There are two main ways to classify personal data. First, there is information that is generated by the user, such as that created through interactions on websites or mobile applications, or less obvious data such as telephone recordings.

The second is data generated on behalf of the user. This includes data entered into systems by a third party, for instance on service or helpdesks or as part of survey information – think of websites that divert you to complete a survey on their customer’s behalf.

Just these few examples demonstrate that there are many systems that could be used to collect personal data. Each needs to be clearly identified and classified accordingly.

The storage administrator

How does all this filter down to the storage administrator? Here are a few thoughts:

  • Encryption is a must: data must be encrypted at every opportunity, including at rest and in flight. This applies equally to public cloud storage, preferably using user-managed keys, not just those provided by the cloud provider.
  • Have detailed application-to-storage mapping: ensure that any application can be mapped to the physical storage it uses, whether a LUN, file system or object store. As an extension to this, ensure backups can be associated back to an application. Applications – and, by implication, data – should be tagged as relating to personal information.
  • Security and audit: ensure strict rules are in place for data access and to track security access. Audit logs will be essential to identify any potential data breaches.
  • Validate test and development requirements: work with development teams to ensure any data provided for development is correctly anonymised to remove personal information.
  • Work more closely with colleagues: this may seem obvious, but storage teams need to become more data-aware, not focused on physical hardware. This means working in conjunction with application developers and the business.

The last point is important. Storage administrators need to transition to data guardians and be more aware of what they keep on storage systems.

Finally, there are still some challenges that don’t have simple answers, with the most obvious being the right to be forgotten.

IT organisations store a mix of up-to-date and point-in-time data – the latter of which is used typically for data protection. Removing an individual from a historical backup, for example, will prove challenging.

Alternatively, businesses would have to track a list of individuals to be removed from a historical data restore, which in itself conflicts with the right to be forgotten.

GDPR may well see some new businesses and technologies emerge to answer some of the more tricky data management challenges. As ever, the future is about managing data, not the storage on which it sits.

Read more about GDPR and storage

  • Vigitrust’s Mathieu Gorge looks forward to what 2017 has in store for legal and regulatory compliance, with the adoption of the General Data Protection Regulation and changes in the US under the Trump presidency.
  • EU data protection regulations are set to change, and the implications for data storage are manifold and include far-reaching effects on in-house and external cloud storage.

Next Steps

How can I be sure that our DR plan covers GDPR?

Read more on Data protection regulations and compliance

Data Center
Data Management