How the General Data Protection Regulation Impacts Data Storage Systems
With the General Data Protection Regulation (GDPR) finalized, it’s time organizations begin implementing the people, processes and technology required for compliance. It isn’t just European Union (EU) countries that need to get moving: The data protection regulation impacts any organization that processes data belonging to EU citizens. Let’s take a look at how the regulation affects the data storage system’s design and how to get compliant.
More About the Data Protection Regulation
First, some background: The GDPR is the result of the European Commission’s efforts to unify data protection laws across the EU. Finalized on Dec. 15, 2015, the GDPR intends to give EU citizens control of their data while simplifying compliance for organizations that do business with EU citizens.
The data protection regulation focuses on ensuring that personal data is only stored with the individual’s consent for a specified purpose and for a length of time that’s in accordance with that purpose. The GDPR will have a significant impact on how organizations collect, store and handle data. Two key requirements have the potential to transform data storage systems: data protection by design and data privacy by default.
“The regulation will guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design),” the European Commission said. “Privacy-friendly techniques such as pseudonomysation will be encouraged to reap the benefits of big data innovation while protecting privacy.”
Complying With Data Storage Rules
Data storage solutions must be designed and architected to protect data and maintain its privacy. The appropriate security measures need to be in place to protect data, including clear rules regarding data access and proper authentication mechanisms for access to sensitive data. In addition, authorizations must be kept up to date to ensure appropriate access rights, and all data must be audited.
In order to meet these requirements, IT teams must:
- Automate data access processes, including those to grant, review and revoke access;
- Automatically inspect content to identify sensitive data; and
- Monitor and analyze access.
Because individuals can opt out of profiling, organizations should have the ability to easily delete personal data. It’s also important that solutions are built for data portability and manageability.
Moving Protection to the Cloud
Where the GDPR starts to get interesting is in relation to the cloud. The data protection regulation requires organizations to assess the benefits of on-premises versus cloud-based storage. In some cases, the cloud may be more suitable. However, data in the cloud must be stored in a format that facilitates portability and a right to erasure. IT teams that operate a hybrid IT environment must implement software that manages the entire environment as a single entity.
In the case of a cloud data breach, both the cloud service provider and the user organization are liable. It’s therefore in the best interest of cloud service providers to ensure compliance with GDPR by developing, designing and enhancing their offerings to adhere to the principles of data protection by design and data privacy by default. However, the onus remains on the user organization to ensure that the chosen service provider meets the requirements of the data protection regulation.
While organizations have ample time to comply with the GDPR — enforcement is expected by 2018 — they should begin reviewing their data management efforts sooner rather than later. In addition to implementing the appropriate policies and processes, organizations may find that they need to update their data storage systems as well.