Refining Your GDPR Strategy – Addressing User Data

The European Union’s General Data Protection Regulation (GDPR) deadline for implementation has come and gone. Many organizations have achieved a basic level of compliance, so now is the time to dig deeper, tie up loose ends and try to simplify the process. It is also a time for organizations not directly impacted by GDPR to tighten up their data security and protection practices. Organizations around the world need to realize that GDPR was just the initial warning shot and concepts like data privacy are more critical than ever.

**This is a reprint of a blog published by Storage Switzerland on July 24, 2018. Join us for our upcoming live webinar “How to Design a Compliant and GDPR Ready Collaboration System” on July 26th at 11:30 am ET / 8:30 am PT.**

An area to pay attention to is user data. These are files that users within an organization create and share with both internal employees and external business partners. The protection, management, and compliance with user data is one of the more overlooked topics in the organization, but it is also one of the data sets most susceptible to a breach.

A major weakness is how users share their data with external sources. IT, today, has very little control over how users share data and even less oversight as to when they share data. When sharing data, most users today still use consumer-grade cloud-based file sync and share services. These services provide IT with almost no control over with whom and for how long that data is shared.

Enterprise File Sync and Share May Not Be Enough

The immediate answer to a file sharing problem is to move the organization to enterprise sync and share (EFSS). These solutions do provide IT with oversight and control over how and who shares files. The problem is that most providers of these solutions did not design them with compliance in mind. They may encrypt data at rest and in-flight, but compliance with GDPR and the more stringent regulations to come requires more than encryption.

First, a compliant EFSS solution requires identity management. It should integrate with Active Directory, LDP, and SAML for single secure sign-on. Second, the EFSS solution needs to cover more than just one data store. It needs to provide time expiration of shares, password protection, and download restrictions across all corporate data storage. It also needs to provide GEO location restrictions.

Third, the EFSS solution shouldn’t burden IT. For example, IT can’t be expected to predict every possible reason for sharing or not sharing a file. Instead, the solution should provide sharing policies where users are required to outline why they created a shared link. IT then reviews the sharing justification. Additionally, the solution needs to provide full file event auditing to track file access by date and time as well as by whom and why. File auditing also allows an organization to prove file deletion in response to a right to be forgotten request.

Finally, the EFSS solution needs to provide complete discovery of personal data. Personal data as defined by GDPR is any data that relates to an identified or identifiable natural person. Finding personal data within and across the organization is a big challenge. The EFSS solution needs to index content under its management so authorized users can search it.

StorageSwiss Take

User data is the most exposed data set in an organization, and it is also the most likely to violate regulations and corporate governance policies. Enterprise file sync and share needs to evolve beyond just simple file sharing with encryption to meet the challenge of GDPR and other upcoming data privacy laws. The answer is to manage file data as a unique data set and provide advanced capabilities like auditing and content search.

To learn more about modernizing EFSS as well as how to build a backend storage architecture to support it join us for our upcoming live webinar “How to Design a Compliant and GDPR Ready Collaboration System” on July 26th at 11:30 am ET / 8:30 am PT.

How to Implement File Sharing for GDPR Compliance

Employees are going to share files. It’s an essential part of collaboration. For any project involving more than a few people, this is likely to involve a cloud-based file sharing solution. In environments requiring GDPR compliance, that can be a problem. Especially when regulations state how data can be used and where it is stored, and require that you be able to find and delete information when asked.

In EMEA, GDPR is now in effect. And in the US, one of the country’s toughest privacy regulations, the California Consumer Privacy Act of 2018, was voted into law on June 29.

New storage solutions can help you remain in compliance, but first let’s consider the problem.

GDPR Compliance Places New Demands on File Sharing

Users appreciate the simplicity of cloud-based file sharing, but this may come at the cost of IT control. In the cloud, do you know what data is being stored, how it is protected and who has access?

 

GDPR compliance places new requirements on file sharing

 

Loosely managed assets can run afoul of regulations that impose requirements to:

  • Maintain data within specific physical boundaries
  • Control use of personal data
  • Delete instances of personal data if requested (aka, “the right to be forgotten”)

When data is shared among users and further replicated across the cloud, control is lost and the potential penalties mount. From IT’s perspective, what’s just as troubling is that your ability to respond to regulatory demands may be lost. When you receive a data subject access request (DSAR), can you quickly find all instances of the information?

The right to be be forgotten requires tight control. You cannot be sure of “forgetting” someone if you cannot locate every instance of their data. A single GDPR compliance lapse can cost the company many thousands of euros.

Solution: Cloud-like File Sharing and On-Prem Storage with Cloudian + SME

Cloudian now offers a simple solution: Cloudian storage plus Storage Made Easy (SME) collaboration software.

GDPR compliant solution for file synch and share from Cloudian

The combined solution is cloud-like file sharing software and an on-prem storage system that is under your control… and behind your firewall.

 

File synch and share within your data center

 

This combines the best of both worlds:

  • Ease-of-use: A cloud-like experience for your users makes it easy to adopt and use the service
  • Your security framework: The shared data repository receives the same protection as any other file, and the same access controls (VPN, AD, LDAP)

This lets you handle collaboration just as you would manage and monitor any other file service, with the same controls, same firewall, and your preferred data protection method.

Personal Data / Personally Identifiable Information Management

Personal data, or PII, is central to GDPR compliance and data privacy laws. Passport numbers, social security numbers, credit cards, etc, are ideally not being shared, but we’ve seen too many instances of laptop theft resulting in the disclosure of sensitive PII.

 

Identify personal data, or personally identifiable information in files, and control its distribution

 

The Cloudian/SME solution scans documents for PII, and takes action or sends notification as defined by your policy. Out of the box, it recognizes over 60 forms of PII, and you can add definitions to suit your needs.

Recognize personal data use in shared files with Cloudian solution

 

Shared Links Include Time Limits and Password Protection

Shared links to files can be password protected and time limited, providing an additional level of control. No more evergreen links that can be widely shared outside of your control.

Easy-to-Use

The solution is as simple to use as any cloud solution. Files can be accessed from Windows, Mac, Linux, IoS and Android platforms. You can view files/folders in Explorer/Finder, as with any storage system, and view within the apps own UI. The included UI adds capabilities as viewing the physical location of the file’s storage system, an important attribute for compliance. And you can see at a glance what personal data is present.

Highly Rated Storage

Best of all, the storage repository is Cloudian Object Storage, the most highly rated object storage system on Gartner Peer Insights. This limitlessly scalable system earned the highest “recommended” level at 96% positive, and the highest rating with 4.8 out of 5 stars. With up to 14 nines data durability and integrated data protection, it’s the ideal foundation for enterprise collaboration.

 

Gartner Cloudian review MQ

 

Find out more about this solution and GDPR compliance at cloudian.com/collaboration.