The European Union’s (EU) General Data Protection Regulation, or GDPR for short, places stringent new rules on how enterprises manage and secure user data. A key consideration for enterprise CISOs and their data security teams, GDPR can also have a major impact on a company’s data storage environment and the management thereof. We have long known the GDRP is on the way; it finally goes into effect on Friday, May 25, 2018.
GDPR affects non-European enterprises, too
Don’t think that GDPR applies to organizations located outside of the EU? Think again.
First off, being based outside of the EU doesn’t immunize the company from the regulation’s requirements. If an organization collects data belonging to European users, GDPR applies, regardless of which country its headquarters calls home.
If a company ships and sells products, to European customers, GDPR matters. Likewise, companies that provide online services, cloud applications and countless other internet-based products to people in the EU have no choice but to comply with the law.
Under GDPR, mismanaging the personal identifiable information (PII) of users in the EU, can have some severe consequences. Fines can reach as high as four percent of a company’s global annual revenue.
That’s right, not adhering to GDPR exposes companies can have wide-ranging effects to a company’s finances, even if only a sliver of its business comes from Europe.
Redefining data management and protection
Complying with GDPR may have a big impact on an organization’s data management processes and where businesses place the data they collect on their users.
Enterprises should be prepared to classify, protecting and track the personally identifiable information on EU users as it wends its way through their storage environments. But that’s not all.
Data subjects, those individuals whose information is collected, can request for a copy of the data an organization has on them thanks to Article 15, “Right of access by the data subject.” Under Article 17, “Right to erasure” or as it’s more commonly called, the “right to be forgotten,” calls for organizations to eliminate a user’s data from their systems if requested by a data subject.
Businesses have some leeway in certain circumstances, but generally, those requests must be fulfilled in a timely manner. This means businesses should be ready to package and provide the requested data to users at their request or purge that data, two scenarios companies may never have planned for.
For example, shifting older data to tape as it ages is considered a prudent and cost-effective part of both an enterprise tiered storage and a data protection strategy. Storing users data on tape can prove problematic, warns cloud backup specialist CloudBerry.
It is relatively difficulty in finding, recovering and deleting user data that is stored on tape on demand, reminds the firm. Instead, businesses may consider moving their archival data to the cloud using services like Amazon Glacier, Microsoft Azure Archive Storage and similar offerings.
GDPR may force many enterprises to take a good hard look at their data management practices.
“Organizations should minimize their exposure in handling personal data, keeping only the personal data necessary to service direct business and legal needs. As a best practice, we encourage organizations to use archiving policies that identify instances of personal data, delete, encrypt and/or move data to more secure locations that are fully tracked.”
– Patrick McGrath, Solutions Director at Commvault
GDPR’s effects beyond storage
If an organization’s data storage environment can’t accommodate the scenarios mentioned above, or worse, contributes to a data breach, the effects will may be felt by the money-making part of the business, according to Zachary Bosin, Director of Product and Solutions Marketing at data management firm Veritas.
“While GDPR legislation is requiring businesses to pay close attention to their data privacy policies, brands should know that consumers care about this issue regardless of what laws exist,” said Bosin. “In fact, a recent survey by Veritas shows that a large percentage of consumers would stop buying from, and even encourage boycotts of, brands that failed to protect consumer data. On the other hand, these same consumers would spend more money with brands they could trust with their data. That, more than the fines and penalties, should fuel GDPR compliance.”
Bosin was referring to a Veritas survey conducted by 3GEM, involving 12,500 consumers in 14 countries. Nearly two-thirds of respondents said they would stop doing business with a company if their data was mishandled. And don’t expect brand loyalty to bring them back.
Nearly half (48 percent) said they would take their business to a competitor. A majority (81 percent) would prod their family and friends into boycotting the offending organization.
Lost business aside, businesses that let their customers down also run the risk of increased government scrutiny. Seventy-four percent of respondents said they would go as far as reporting a business to regulators to express their dissatisfaction.
Of course, consumers who feel wronged by a company these days have no qualms about airing their complaints on the megaphone that is the internet. Practically two-thirds (65 percent) of all respondents said they would litter the internet with negative comments about a business that failed to protect their information.
Simply put, if a company’s storage systems inhibit its ability to meet GDPR’s privacy, security and data access and removal requirements, the backlash will eventually trickle down from the C-suite to senior IT leadership to storage administrators.
On the flipside, running a tight ship can improve a company’s fortunes. Although, as usual, a storage pro’s praises will likely go unsung.
Fifty-nine percent of consumers said they would lavish more sales on organizations that safeguard their personal information. More than a quarter (27 percent) said they would be willing to spend 25 percent more with businesses whose data protection efforts are up to the task.
Expert GDPR compliance tips for storage admins
Enterprise Storage Forum asked Bosin to share some pointers on helping IT departments enact a post-GDPR data and storage management strategy. Here are his tips.
- Automation for distributed storage environments
Hybrid cloud environments are a boon for businesses looking to extend their IT capabilities in an affordable manner, but it can also complicate an organization’s regulatory compliance activities. Even the most diligent IT professionals can’t be expected to keep up with the sheer number of systems and services where user data resides.
“While education is helpful, automation is key. With the rapid adoption of cloud and SaaS application partners, data is becoming further distributed and it demands proper data protection coverage,” Bosin said. “Even if breached data was not stored on-premises under your direct control, it is still your responsibility to determine whether or not personal information could have been compromised, and if so, to enact notification procedures.”
- Beat the countdown clock
Organizations that can’t quickly search across their various data repositories after a suspected breach can expect to land in hot water.
“If you have 72 hours to notify a supervisory authority and victims once you become aware of a breach, access to information from servers, laptops, applications and SaaS partners becomes utterly critical. The ability to search across these silos could be the difference between compliance, embarrassment and major fines,” Bosin said.
- Visibility before a breach
GDPR’s breach notification requirements are pretty tough. Compliance officers, data security teams and storage professionals will want to know what kinds of PPI they have stashed away in their organization’s storage systems.
“Even if you have no direct evidence that personal data had been accessed or misused, the possibility that it could have still leaves you open to notification requirements. Follow a consistent approach to forensic analysis, and ideally know what information you’re holding before a breach event occurs,” Bosin advised.
- Invest now or pay later
There’s no getting around it. Costs will mount as organizations invest in new storage and data management technologies that enable GDPR compliance. Don’t be tempted to cut corners now in a bid to get the most out of those IT budgets.
“In the past, it was seen as less expensive to pay the fines if you got caught than it was to become fully compliant with regulations, which will require a significant number of business and data management practices,” said Bosin. “With GDPR, the fines are so significant and cannot be ignored.”
- GDPR: The new normal
GDPR compliance undoubtedly represents a big change in the management of PII and the storage systems that entrusted with it. More than burden, CIOs ought to view it as an opportunity to deliver do right by their users.
“Whether you are directly impacted by it or not, the EU’s lead with GDPR presents a prescribed programmatic approach with privacy practices that provide an excellent framework for the responsible handling of personal data,” Bosin said.