If you reside in Europe, you likely already know about the EU General Data Protection Regulation (GDPR), yet, those outside of Europe may only now be gaining awareness of GDPR. Moreover, many are now coming to the realisation that any organisation physically located outside of Europe who has any dealing with European residents will be required to comply.
This is the first important aspect to understand. Every organisation collecting data (Data Collectors) and third party processing data (Data Processors) pertaining to EU residents, is obligated to comply. No matter where that organisation is physically located.
If your organisation is not based within the EU, you may be asking yourself “why would I need to comply?” The answer here is financial, with hefty fines of up to 4% of global annual revenue or 20 Million euros, whichever is greater. Any organisation collecting or acting as a third party by processing European resident personal information is within scope. You will be classified as a collector of personal data simply by allowing an EU resident to sign up to your mailing list.
So what is GDPR, and what does it mean to how an organisation stores and manages data?
To begin, an organisation must, on request, quickly identify all data they control belonging to an EU resident. This is known as an individual’s “right to access.” On request, an organisation must be able provide an electronic copy of the data held, including where it is stored, plus the reason for retaining that data. An individual must also be allowed to submit corrections to any data held. This does not mean the individual requires direct access to the data, only that there must be a means for individuals to submit corrections.
Individuals now also have the right to transmit their data from one controller to another. Upon receipt, an organisation must provide a copy of all the individual’s data held in a “commonly used and machine readable” format. This requirement is known as “data portability.”
An important part of GDPR is an EU residents “right to be forgotten.” Any EU resident can request all personal data retained by an organisation to be removed. This includes any data shared with third parties such as data processors. That regulation persists unless an organisation has a valid reason not to comply; for example, a debt collection agency could not be expected to destroy all personal data related to a debt they are actively pursuing against an individual. Of course, not all personal data is eligible for deletion, such as if removal of the requested data would breach laws on compulsory data retention.
“Data Protection” is also a key stipulation of GDPR, specifically protecting personal data from being stolen and from unauthorised access. On becoming aware of any data breach that is likely to jeopardise personal data, the data controller must report the breach within 72 hours to the relevant regulator, as well as to every likely affected individual within an acceptable time frame.
Organisations may also be required to employ a “data protection officer” whose role is not only to inform and advise of obligations under GDPR, but to also monitor compliance of GDPR.
An organisation relying on traditional systems, storage, processes and workflows is going to find GDPR compliance both expensive and challenging. It will require a review of all aspects of data storage and protection. For example, legacy data backups could make compliance to the “right to be forgotten” requirement extremely difficult. To comply with a data removal request, not only will the active data need to be removed, but also every instance of that data held on backup media or archive. Similarly, the loss or misplacement of a backup tape is likely to trigger an expensive “data protection” exercise.
The “right to be forgotten” and “data protection” requirements will also force many organisations to change the way they develop and test their applications. Testing using a copy of production data containing personal data could become unmanageable. Not only would such a data-sharing practice put at risk retained personal data, but, in the case of a right to be forgotten request, the organisation will be required to also ensure that data is removed from all development, test and QA environments, and most importantly, not inadvertently restored during test or QA cycles.
Yet, the biggest challenge many organisations will face is simply how to locate in a timely and cost-effective manner all personal information pertaining to an individual, along with why that data is retained in the first place and were it is stored—without forgetting which data is in scope for data removal and what data must be retained.
“Privacy by design” requires that these capabilities, along with compliance to all other GDPR requirements, be built into products and processes from day one.
While this may seem overwhelming, it is important to know that the technology already exists to enable you to comply with GDPR. In next week’s blog, I will look at how Caringo Scale-Out Hybrid Storage provides a simple and cost-effective solution. And, on February 27, my colleague Alex Oldfield, Solutions Architect, and I will present a webinar on the challenges organisations face and how Caringo Swarm provides a cost-effective solution to help you meet GDPR requirements as well as how Data Protection Officers can use Swarm to monitor and ensure compliance.
Register now to watch live or on demand.
February 27, 10:30 a.m. GMT
GDPR’s Dirty Little Secret & How Object Storage Enables Compliance