The EU’s General Data Protection Regulation (GDPR) was approved last year, and the enforcement date of May 25, 2018 is fast approaching. After that, organisations found to be in non-compliance will face heavy fines. With only nine months until the enforcement date, it’s important to understand the potential problem areas in your data storage architecture and how you can improve it in time to be GDPR-compliant.
What is the GDPR?
The GDPR was designed to harmonize data privacy laws across Europe, bolstering privacy protection for EU citizens and empowering them to better control how their data is used. The regulation introduces the ‘Rights of the Data Subjects’, which essentially states that data belongs to the individual, not the organisation. For individuals, this means that they can access their personal data that’s being stored, and can request changes or even removal. They also have the right to compensation if their rights are violated. For organisations, information must be held only as long as it’s required, and in many cases they’ll need to appoint a Data Protection Officer to ensure that personal data is not compromised.
Organisations are now facing challenges interpreting what the new regulations mean to them and understanding what they need to do to ensure compliancy. Just deploying technology is not a good answer here, as organisations need to understand the data they are storing to ensure they have a legitimate reason for holding this data. It’s important to keep in mind six core principles when storing personal data. Data must be:
- Processed lawfully, fairly, and transparently
- Collected for specified, explicit, and legitimate purposes
- Relevant and limited to what is necessary
- Accurate and up to date
- Retained for only as long as necessary
- Processed in an appropriate manner to maintain security
The Path to GDPR Compliance
Because of the greater control individuals have over their personal data, it is the organisation’s duty to ensure that nothing happens to that data. There are two big questions you should ask yourself when assessing how compliant your organisation is with the GDPR:
1. Is the data protected?
If the personal data your organisation stores ends up compromised, the organisation will be held accountable. You must make sure your data is protected from:
- Device failures – This includes any physical storage component, such as disk drives, storage controllers, and data centres.
- Logical/soft failures – This refers to human errors such as accidental deletion/overwrite, as well as viruses and file data corruption. This currently accounts for up to 80% of data losses.
- Security breaches – Data must be secure from forceful entry/hacks.
Data availability must be guaranteed not only for the security and privacy of personal data, but also in the event that individuals want to make changes to their data.
2. Can I find the data?
The second question you should ask is around data location awareness. If someone requests their personal data, would you be able to quickly locate and procure it? Not only does the data you’re storing need to be housed in GDPR-compliant systems and data centres, but the data itself needs to be searchable and well-organised. If you are not able to produce the requested data in a timely fashion, you may face fines under the new regulations.
Turning to Object Storage
One way you can start moving your organisation towards GDPR compliance is by looking to object storage. The inherent capabilities of object storage give you some real advantages in achieving compliance:
Customizable metadata tags: To ensure compliance, you must be able to find information. Traditional file systems only allow you to view limited metadata information on a file, such as the owner and the date created. With object storage metadata, you have no limit on how you tag your data, making it easily searchable for data requests.
Scalability: When data is consolidated, it’s much more easily searched and checked for duplicate records. The limitless capacity of object storage makes it feasible to consolidate data to a single, searchable pool.
Data protection features: Data must be available at all times. With data protection features such as erasure coding, replication, and multi-tenancy (to segregate users), you can ensure that data can still be retrieved no matter what situations arise.
Full GDPR compliance will not be an easy task, but you can start prepping your organisation for the enforcement date by making sure your data is protected, available, and searchable.