The General Data Protection Regulation (GDPR) placed significant restrictions on data management and security when the European Union enacted it in 2018. But it’s also had a major impact on enterprise data storage infrastructure and management. The regulation’s 99 articles cover data rights and expectations and assign liability and penalties for violating them. Though the GDPR has been in effect for five years, organizations still struggle to comply with it—this guide focuses on its impact on the business world and on enterprise storage teams in particular.
Table of Contents
Does GDPR Affect Non-European Enterprises?
The GDPR affects all businesses that collect European users’ data, regardless of which country they call home. Being based outside the EU doesn’t exempt businesses from GDPR requirements. Likewise, GDPR applies to companies that sell and ship any products to European customers or provide online services, cloud applications, or other internet-based products to EU residents.
Mismanaging the personal identifiable information (PII) of users in the EU can have severe consequences under GDPR. Fines for compliance failures can reach as high as four percent of a company’s global annual revenue. Not adhering to GDPR standards can significantly affect a company’s finances, regardless of what percentage of its business comes from Europe.
Redefining Data Management and Protection
GDPR compliance may have a measurable impact on an organization’s data management processes, including where it stores the user data it collects. Enterprises should be prepared to classify, protect, and track the personally identifiable information of EU users as it wends its way through their storage environments.
GDPR’s strictures also place the responsibility of protecting data on the organization, including any of its controllers and processors. In other words, GDPR is looking out for the interests of the user or data subject, not the business. It expects enterprises to protect data subjects—individuals whose information is collected—as well.
Read about the seven essential elements of storage compliance regulations next.
The following are some of the higher profile examples of how the GDPR protects data subject rights:
- Article 15. Data subjects can request a copy of data about them that an organization has collected and retained.
- Article 17. The “right to erasure” or “to be forgotten” calls for organizations to eliminate a data subject’s data from their systems if requested.
- Article 16. The “right to rectification” mandates that inaccurate data about the data subject be changed upon request.
The GDPR also lays restrictions on the data controller (the person or body managing the data and implementing organizational data protection). Two of the most impactful examples follow:
- Article 24. The controller should be able to demonstrate that organizational data processing is compliant with the regulation.
- Article 26. In the case of joint controllers, they must determine appropriate division of responsibilities; both may have action taken against them by data subjects.
How to Think about GDPR for Storage Teams
Storage teams approaching such a massive set of regulations should start with the building blocks. Your company will need a data controller—this role may not be a member of the storage team, and in fact, often will not be. A chief compliance officer or similar role will likely head the regulatory charge, but ensure that the storage team is represented and communicates effectively with the controller.
It’s also a good idea to hire someone passionate about data protection and customer experience. This doesn’t need to be the chief controller, but it should be someone involved with your organization’s approach to data privacy and protection. Without a focus on data subjects’ rights or a passion for data protection, it’s only a matter of time before your business is fighting to remain compliant or avoid fines.
7 Expert GDPR Compliance Tips for Storage Admins
For storage teams specifically, the best approach to compliance is to lead by example—if data-focused teams care about protecting individuals’ information, they’ll naturally have a strong lead on the GDPR. Here are a few other principles for storage teams to consider and implement.
1. Choose storage locations carefully
Make sure teams are strategic and practical about storing personal information. For example, shifting older data to tape can be cost-effective, according to backup specialist Cloudberry, but it can also make it difficult to find, recover, and delete user data. Organizations subject to GDPR should instead consider moving archival data to the cloud using services like Amazon Glacier or Microsoft Azure Archive Storage.
2. Keep storage teams informed
Storage teams shouldn’t be passive about data protection. Instead, they should lead the charge alongside executives and data managers. But they must be clearly guided to know how to do that.
Senjuti Basu Roy, the Director of Big Data Analytics Lab at the New Jersey Institute of Technology, emphasized the importance of informing employees—they should never have to guess what their business expects from them. This is especially true for initiatives like data protection and privacy. Clearly defined training and regular staff development will give storage teams a clear blueprint for protecting customer information.
3. Establish stringent data retention policies
Unless required by a specific industry or regulation, like in the healthcare and financial services fields, unneeded data should be deleted. Collaborate with relevant controllers and processors in your organization to track data lifecycles and don’t hang onto data longer than it’s needed “just in case.”
4. Automate distributed storage environments
Hybrid cloud environments are a boon for businesses looking to extend their IT capabilities in an affordable manner, but they can also complicate regulatory compliance activities. Even the most diligent IT professionals can’t be expected to keep up with the sheer number of systems and services where user data resides, but they’re still responsible for identifying potential compromises—even if the data was stored in another location.
Distributed storage environments are just too complicated for enterprise storage teams to manage compliance manually. Appropriately designed automated systems help them identify potential breaches more efficiently.
5. Make sure you have visibility before a breach
GDPR’s breach notification requirements are tough. Compliance officers, data security teams, and storage professionals will need to know what kinds of PII they have stashed in their organization’s storage systems.
Make sure your storage team knows where data is stored and to whom it belongs. If a potential breach occurs, you might still have to notify users, even if it’s not certain that their data was compromised. Such notifications require that you know whose data is stored where.
6. Beat the countdown clock
Organizations that can’t quickly search across their various data repositories after a suspected breach can expect to land in hot water. Again, knowing the location of data is critical. GDPR demands users to be notified of a breach within 72 hours.
Organizations must be prepared to search their data storage systems, including cloud-based applications, servers, and personal computers, to determine what data has been compromised. Clear metadata and organized storage methods will help your storage team track down data in a reasonable time frame, but that requires plenty of advance preparation.
Read more about data governance best practices to keep your business’s data accurate and available.
7. Invest now or pay later
There’s no getting around it. Costs will mount as organizations invest in new storage and data management technologies that enable GDPR compliance. Don’t be tempted to cut corners now in a bid to get the most out of those IT budgets.
Historically, some organizations realized it was less expensive to pay the fines if they got caught than to become fully compliant with regulations, said Zachary Bosin, VP of product and growth marketing at cloud-based videoconferencing provider BlueJeans. But GDPR fines are too big for businesses to ignore.
Balancing Costs with Compliance
Yes, there are cost-effective ways to protect users and still have a strong storage infrastructure. Your storage team—and your whole organization—just has to be willing to do the research and put in additional effort to create a system that benefits both your business and your users.
But if you have to choose one, choose the user. While it might cost you money in the short term, it’ll save you money in the long run. It’s also the point of the GDPR legislation.
The intent of GDPR is serving individuals—it’s designed to protect their data. Plenty of businesses have tried to do the bare minimum and failed, including huge enterprises. To be blunt, the GDPR is not just about meeting certain requirements—that’s just the blueprint that helps teams protect their customers’ data.
Data protection regulations can help businesses prioritize a customer and people-first approach. However, if your approach is focused on money or getting around the rules, you will probably fail to meet it at some point and risk major fines. Multiple major tech companies have already been caught and fined for breaching GDPR restrictions, including Meta and Amazon.
GDPR Compliance Checklist
This downloadable checklist highlights steps for your storage team to take when working toward GDPR compliance.
Bottom Line: GDPR is a Data Protection Litmus Test
GDPR has forced many enterprises to take a good hard look at their data management practices. Businesses will only be able to meet regulatory requirements for so long if their organization as a whole doesn’t take a strong stance to protect user data. One way to think of it is as a litmus test that analyzes how corporations view personal data—do they choose to respect it and only use the bare minimum, or do they view it as something to exploit as long as possible?
If your storage team is collaborating with the executives at your company to develop a GDPR strategy, make sure you talk first about your business-wide approach to data protection and privacy overall. This will define not only your GDPR strategy but also the way you handle any other regulatory compliance and users’ data as a whole.
Read our guide to enterprise storage compliance next.