Wikipedia defines GDPR as “The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).”
GDPR becomes enforceable from 25th May 2018.
Many organisations traditionally have retained data for long periods in backup form as a cheap alternate to using content based archives. Under the new GDPR, fines may be levied if Personally Identifiable Information (PII) cannot be tracked and controlled effectively.
GDPR effects Data Protection in many ways:
Data Protection by Design
Data Protection needs to be designed into the development of business processes for products and business services. Privacy settings must be set to a high standard and measures should be in place to ensure that processing throughout the data lifecycle complies with the regulation. GDPR is not only interested in production data, but also replicas and data stored in backup/archive repositories.
Operational Recovery vs Content Searchable Archive
Historically, organisations have kept data in backup without much consideration for the actual content. This is no longer suitable for personal data (PII). Whilst backups still have a place for Operational Business Recovery (days/weeks rather than months), data needs to be controlled and indexed for longer term archival.
Operational Recovery enables organisations to recover Business Services following an outage (accidental deletion, hardware failure, site failure. ransomware, etc)
Content Archive enables organisations to retain data for longer periods to comply with industry regulations.
Many of the historical data breaches have come about due to lack of internal process and data encryption. To combat this, under GDPR, data should be encrypted at rest (both for primary/active data and secondary/backup data).
Further to this, any data used must have the consent of the owner before it can be stored. Should organisations wish to mine this data for other analytical purposes, GDPR recommends that PII data is anonymised so that it is unintelligible to any person not authorised to access it.
Right to erasure
Under GDPR, all data stored needs to be searchable so that PII can be removed where necessary.
Should a ‘Right to erasure request’ (Previously ‘Right to forgotten’) be made, data should be removed from both primary and secondary storage that meets the requirements of the request.
Exceptions on deletion will be made where PII data is required to retained under other externally governed compliance policies. It is therefore imperative to have suitable procedures in place to ensure that data is not removed under “Right to erasure” and then receive fines for not retaining data.
Once a “Right to erasure request” has been processed, there should be no way of recovering the deleted PII data. Processes need to be in place to ensure data inadvertently recovered as part of “Operational Recovery” is tracked and the erasure request re-processed to ensure compliance.
Uncontrolled copies of data
Many organisations have multiple methods in use for protecting data within their estate. These need to be reviewed in light of GDPR, to ensure that uncontrolled copies of PII no longer exist.
Common areas that need to be addressed are:
- Use of scripts to extract data to flat files
- Typically, DBAs use scripts to create database copies as they do not trust backup software. Having these uncontrolled copies lying around could see hefty fines being levied on the organisation.
- Use of tape exports
- Many organisations export data for sharing with suppliers/partners. Under GDPR sharing of data needs to have consent of the persons relating to the PII being shared.
- Any data exported to tape needs to be controlled through pseudonymisation and/or encryption, so that it can only be used by the intended personnel.
- Data Cloning
- Cloning of data to create test environments has been common practice for years. Under GDPR any copies of data needs to be controlled and follow the same rules as production data. If PII is to be cloned and given a new purpose, then it requires consent and pseudonymisation.
What have Silverstring been working on with our customers?
Our expertise in managing and optimising data protection environments, typically including IBM Spectrum Protect, means many of our customers have turned to us, to discuss their compliance requirements.
Typical engagements with customers have included:
Encryption Discovery workshops – our team work with stakeholders to understand how – or even if – data is currently encrypted in data protection platforms. This has surfaced some interesting and risk-laden situations, where organically developed processes had been accepted as OK. This includes a number of situations where backup tapes were sent off-site unecrypted.
Policy reviews – we have enabled forums that have brought together IT and compliance teams to review and analyse how data is retained and for how long. Common risks uncovered here include ‘forever’ retention periods and poorly controlled flat file backups of business critical systems.
Platform reviews – it is often the case that when long-standing data protection platforms are reviewed there is a matrix of significant risk and a lack of recoverability. In some situations, the best route forward is a review and re-implementation of the data protection application and infrastructure, to save money and bring confidence in recoverability.
What steps have you taken to review your data protection strategy in light of GDPR?
Which of the above situations might exist in your environment?
To book your initial review with us, call, or complete our contact form now!