bluedesign - Fotolia

GDPR’s impact on storage of personally identifiable data

Computer Weekly talks to Mathieu Gorge of Vigitrust about the practical impacts on data storage of the GDPR concepts of “personally identifiable data” and “the right to be forgotten”

The European Union (EU) General Data Protection Regulation (GDPR) is set to come into force in May 2018.

Key to GDPR compliance – with relation to retention of data and storage – are the importance of personally identifiable data and the right to be forgotten.

Personally identifiable data now extends from the obvious, such as name and date of birth, to a range of things retained by IT systems, including metadata, IP addresses, mobile IMEI numbers,  SIM card IDs, cookies and biometric data.

Meanwhile, the right to be forgotten allows individuals to request that data be deleted without “undue delay”.

All this places onerous requirements on how organisations retain data, as well as their ability to find and deal with it.

In this podcast, storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about the implications for storage of GDPR’s requirements on personally identifiable data and the right to be forgotten.

Antony Adshead: How do we ensure we can locate personal data?

Mathieu Gorge: First of all you need to define what personally identifiable data is in GDPR. Essentially, it is any type of data that could put any type of data subject in Europe at risk, whether you store, process or work on that data in the EU or not.

The key challenge that we’re seeing in the market right now is that most organisations do not know where the data is or what type of data they have.

For example, do they have data that is covered by GDPR, do they have other data that is not covered by GDPR, do they take credit card holder data, do they take protected health information data, and where is that data located?

Where within their ecosystem can they find it? Is it on their on network, their subsidiaries, do they exchange data with partners, suppliers, cloud applications and so on?

So, to do that what they need to put in place is a data discovery exercise that will allow them to map out where data covered by GDPR is located, where it is coming from, where it is going to, [and] what what kind of processing it is taking on.

Then they can classify the data and use some tools to do that and move onto the next level, which is how to manage access to that data in such a way that I guarantee under GDPR I have taken what is known as “appropriate security measures” to protect the data, and ensure that I know at any given time that the data is fairly and appropriately managed and protected.

Adshead: How can we enable the right to be forgotten in storage systems?

Gorge: It’s worth going over what that right to be forgotten causes.

The idea is that under the eight principles of data protection you need to obtain data and process it fairly; you only need to keep it for one or more specified explicit and legal purposes; you can only disclose it in ways that are compatible with these purposes; it needs to be kept safe and secure, accurate, complete and up to date; and you need to ensure it is adequate and relevant.

What’s really important in those principles is the fact that you can only retain it for the amount of time that is necessary for the purpose, and you need to give a copy of the personal data to the individual on request and ensure that – if they tell you they no longer want you or allow you to have that data – it can be erased.

Read more about GDPR

And so, the right to be forgotten is really about putting in place the right processes, the right technology and the right training in your organisation to make sure that [you can fulfil a request] if someone says to you, ‘I no longer want you to have the data’ or ‘The data that you have about me is no longer accurate, I want you to take corrective action’.

That corrective action could be, ‘Please erase the data’, or it could be, ‘Please update the data to the appropriate level of data’.

And so, I go back to the previous question, which is that you need to be able to locate your data, you need to have data classification in such a way that if someone rings you and says, ‘I want you to delete that data because it is no longer accurate’, or, ‘You are using the data for a purpose that is no longer the purpose I gave you consent for’, then you need to be able to take action fairly quickly.

I think we will see that the regulators in the EU will look at the right to be forgotten as one of the main topics when they start to enforce GDPR.

Adshead: When will GDPR actually come into force?

Gorge: May 2018, although some European member states have already brought that forward and put GDPR into their own regulation ahead of May 2018.

So, again the advice is if you are not in compliance, you should at least be able to demonstrate that you have a roadmap to compliance by May 2018.

Read more on Storage management and strategy