New GDPR Mandates Require Changes to Storage Management Strategies for All Global Enterprises
- GDPR Compliance and Its Impact on Security and Data Protection Programs – GDPR Compliance and Its Impact on Security and Data Protection Programs
- Simplify GDPR Compliance – Simplify GDPR Compliance for Email
When the EU GDPR comes into effect, a single complaint could result in an audit and a fine for improperly handling personal data unless IT leaders have adjusted their data management and backup strategies to be ready. Start modifying plans, policies, processes and technologies today.
- The European Union General Data Protection Regulation (EU GDPR) applies beyond the sovereign borders of member countries, and protects the personal data of citizens regardless of location.
- Many organizations use a long retention policy for all backups, even though they may also have an archiving product in place.
- Backup provides no mechanism for tactical deletion or expunging select data, so IT leaders must assess what data from EU member country citizens is stored, and be able to verify that the data is properly handled.
- As a clear message of compliance “or else,” the guidelines for penalties have been set high enough that just planning on paying the fine is a poor strategy.
- Develop an action plan to respond to the EU GDPR with the legal and compliance department in addition to data custodians.
- Leverage the time from now until the May 2018 deadline to complete a risk assessment, identify data storage locations and put procedures in place.
- Implement technologies and processes such as file analysis and archiving to make sure it is possible to comply with requests from natural persons protected under the GDPR and EU supervisory bodies.
- Where possible, reduce backup retention to only what is required for operational recovery.
When the EU GDPR comes into effect in May 2018, I&O leaders must be prepared for unwieldy requests from ordinary people seeking disclosure of stored personal data, including requests for deletion. Now is the time to examine the impact on storage management and backup strategies. Surely this risk is only for companies operating inside the EU. However, this assumption is not altogether true. The new European Union General Data Protection Regulation 2016/679 (which supplants Directive 95/46/EC) provides natural persons, regardless of nationality, with the right to request what data is being stored about them and to withdraw consent to its use, thus ordering its destruction. According to Article 12, this request must be free of charge, easy to make, and must be fulfilled without “undue delay and at the latest within one month.” The closest analog for this is free (but not unlimited) legal discovery requests for the masses, which paints a rather discomforting operational efficiency image for any infrastructure and operations (I&O) leader.
Very few, if any, organizations have this capability in place inside of the EU, or anywhere, and that is why the European Union is giving entities that handle personal data until May 2018 to design and implement a process to support this regulation. While assuring that organizational compliance is not an I&O leader’s responsibility, if nothing is done, then fulfilling requests from backup and other storage locations has the potential to be overly burdensome. I&O leaders can justifiably request that action is taken by compliance, legal, and other stakeholders.
The best way to avoid misusing data protected under the GDPR is not to keep personal data for any purpose other than for what it was collected, and no longer than it is needed for that purpose.
Mentioning to the CEO that failure to comply with the EU GDPR might cause the company to be subject to a fine up to €20 million or 4% of total yearly worldwide turnover (whichever is higher) and/or regular audits will certainly get his or her attention. It should make it clear that an assessment needs to be done. Data classification exercises, and the internal conversation that surrounds it, have traditionally been met with outright resistance along with “just buy more storage” as the solution. File analysis technologies have improved enough to deliver on promises, making the real possibility of receiving valuable data insight a popular IT topic. However, identifying where personal data that might be subject to the regulation is located, and setting policies around it is not purely tool-based or the work of a single department, so executive sponsorship will most likely be needed.
I&O leaders together with other stakeholders must determine which storage locations contain personal data from EU countries, especially if it is being transferred from and stored outside the EU for any reason. Organizations that either operate wholly within the EU, or have an entity registered there, clearly have more urgency to come up with a suitable plan by May 2018. Companies that have no registered presence within the EU or any plans to do any business there (including through partners or delivering goods and services) may opt to delay response to the regulation, but with the knowledge that this excludes them from a market with the second largest GDP in the world behind the U.S.
Personal data could include profiles for marketing purposes, email addresses, phone numbers, or a host of other data that might have been purchased, transferred from another company, or gathered directly during a business transaction or use of a service. Whatever the case, if explicit consent to the collector was not given, or if the person was not informed that the collection was taking place, then current market observers will find that this is in violation of the regulation. Gartner clients point out that based on their interpretation, existing legal retention and financial disclosure requirements are not changing (such as when collecting personal data when opening a bank account to prevent money laundering).
Consent is not a hidden, obscure opt-out, or a surreptitious amassing of data without informing the person. Consent is a clearly worded and easy-to-understand opt-in — and consent has to be given for a specific purpose, it can’t be a catch-all for all current and future processing ideas. In Europe, this is normal, and provisions for an opt-in are in the GDPR, but to the rest of the world, this might be completely alien. That leaves a large legal exposure for most companies that operate oblivious of or with disregard to this requirement.
If the organization has the data, then it has almost certainly found its way into backup copies of the data. At this point, the real focus and question becomes, “What is the retention policy?” If the organization uses long retention of backup data as a way to preserve records, then the potential exposure is high. While Gartner recommends that backup retention is set to only what is required for operational recovery, but if it results in an organizational deadlock, then modification of backup retention need not be completely changed across the board. Retention should be reduced for systems that contain personal data, and if archiving is not already in place for maintaining these records for governance purposes, then it should be implemented.
If reduced retention and/or implementing an archiving solution is not possible, then the organization must accept that complying with a single deletion request might result in loss of the organization’s impromptu archive.
Natural persons from EU member countries have the right to request full disclosure of all data held by an organization. Based on Page 1, Paragraph 2 of the GDPR, “natural persons” are not exclusively EU citizens, and this appears to extend to natural persons of any nationality. While clearly not yet tested in court or explicitly called out in the GDPR, the implication is that companies with legal entities in the EU may also have to respond to requests for personal data from natural persons from non-EU countries as well. Repetitive, excessive or unfounded claims may be ignored or accompanied by a reasonable fee.
According to the GDPR, consent is not permanently binding, and there must be a possibility to withdraw it. The owner of the data is not the company that collected it; rather, it is the person from whom it was collected, and that person may specify how data may or may not be used. For an operational system, this is its own problem, depending on the system itself. However, if the personal data resides in the backup system, then all corresponding backup copies would have to be destroyed in order to comply. Offsite backup tapes would have to be recalled and erased. This naturally then leaves the organization without those backups, which is very likely to include other data as well.
Some Gartner clients are wondering if it would be just better to disclose and delete data from production systems, ignore backup, and let the data retention run its course naturally. So long as no audit is ordered, this might work, but it may appear like intentional nondisclosure if an audit were ordered and data was found. If the source of the claim is an internal whistleblower or a disgruntled ex-employee, this scenario becomes more likely. Ultimately, this is a decision that must be weighed based on the organization’s tolerance for risk.
Use EU GDPR Articles 58, 82 and 83 (see Note 1) as starting points when developing your action plan. By starting with these articles, it is possible to get a good overview of the requirements, since they refer to the other articles within the GDPR that they enforce. The GDPR administrative fines (Article 83) do take into account aggravating and mitigating factors, such as how intentionally data was collected, how much of it there is, how securely it was processed and stored, and how surreptitiously it was gathered. These factors can mean the difference between a stiff fine and a reprimand. Maintaining customer records is in and of itself a normal course of business, and remains mostly unaffected if retention is for legal compliance reasons, or is the subject of a criminal investigation. Automated policies, including for retention and deletion/expiration, are very good, but the ability to override them when necessary is critical. This is why automating user-initiated deletion capabilities should be examined with care.
Based on historical interactions with global companies (such as Facebook and Google), it appears very likely that a warning from a court in an EU member country to come into compliance will be the first course of action, though this is by no means a guarantee that this will be the case after May 2018. Several Gartner clients have expressed concerns about where the minimum bar is set. They feel that ignoring the basic requirements, such as opt-in, the right for a person to know what data a company has about them, the right to control and prevent unauthorized transfers, the right to be forgotten, and being opaque and difficult about everything just mentioned could raise the ire of a court enough to result in the issuance of a fine.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
EU GDPR Article 58
This article grants data protection audit and investigation powers to supervisory bodies. Not only do audits distract staff and consume resources, they can quickly turn a response of “our organization complied with the request” into what could appear to be an intentional cover up if a subsequent audit does discover something. “Intentional” and “negligence” are two words that the regulation references in Article 83(2b), and awkward discovery during an audit appears to run afoul of 83(2h).
EU GDPR Article 82
On top of fines for the data controller, any person has the right to compensation for damages suffered as a result of exposure or loss. This is especially pertinent in the event of data theft through a cyberattack or even accidental exposure. Keep in mind, the data controller is still liable in the event an external processor of the data exposes or loses control of data.
EU GDPR Article 83
Depending on the severity of the violation, and which articles have been violated, fines may be assessed:
- Up to €10 million or 2% of worldwide annual turnover, whichever is higher (see Paragraph 4).
- Up to €20 million or 4% of worldwide annual turnover, whichever is higher (see Paragraphs 5 and 6).