When the European Union's General Data Protection Regulation (GDPR) takes effect on May 25, 2018, it will not only affect EU-based organizations, but also
data controllers and processors around the world. And every company that has data from customers in the EU
(including the UK) will need to be compliant with new, stringent
regulations. To dive in deeper and find out more, I spoke with industry expert, Neil Stobart, Global Technical Director at
Cloudian.
VMblog: What can businesses do to minimize GDPR risks and protect their reputation?
Neil Stobart:
Businesses need to review the data they are storing to ensure they have a legitimate reason for holding this data. Many organizations have data that will be in direct contravention of GDPR regulations and it is important to cleanse any data sets that do not meet the requirements of the new regulations. There are six core principles that stored personal data must adhere to:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and up to date
- Retained for only as long as necessary
- Processed in an appropriate manner to maintain security
Any data that does not meet these criteria must be removed from an organization. This is a significant task. In addition to primary copies of this data -- across all applications and storage mediums, such as databases, email systems, file stores - companies must also assess data copies stored in archives and backup.
Once the data has been cleansed then businesses need to ensure that the legitimate data they hold is protected against loss.
VMblog: Can you expand on some ways businesses can protect personal data?
Stobart:
Protection of data needs to be considered in a number of ways:
- Device failure - data storage systems need to be designed and configured to protect against data loss due to hardware/system failures. Data protection techniques such as RAID, Erasure Coding, Replication can be used to ensure multiple copies of data is maintained across devices, systems and locations to protect against this type of incident.
- Soft errors - It's not only hardware failures that can cause data to be lost, but also soft errors such as viruses, data corruption, accidental or deliberate deletions. Typically these are more logical issues, not hardware, so protection strategies such as data backup, snapshots or versioning technologies can assist with the protection against soft errors.
- Breach of security - Unauthorized access to data can lead to information being maliciously exploited, so protection via security technologies is key throughout the IT infrastructure and adoption of procedures to prevent data loss this way. Typical network security techniques such as firewalls, virus protection, encryption and controlled user access is required across the data infrastructure, including addressing data stored outside of the datacentre on mobile devices.
It is important to ensure that a thorough audit of best practices and appropriate technology adoption is applied across an organization to meet all these requirements.
VMblog: Are there ways companies could implement technical infrastructure that will ensure the optimal governance of client data?
Stobart:
Technology in its self will not provide automatic compliance and governance of client data. As with any effective solution, technology is only as good as the people and processes in place. Data needs to be reviewed to understand its level of compliance, a task which cannot be carried out by technology alone. Businesses need to understand:
- What is the data?
- Where is the data?
- Where does the data go?
- Whom do we share the data with?
- How do we store the data?
- How do we monitor the data?
- Who has access to the data?
- What is our current exposure/risk assessment?
As businesses store data within multiple technologies from different vendor solutions, it is nigh on impossible to implement a single technology to validate the data held. Assessment must come from a top down approach from the business departments that "own" the data. Clear guidelines to evaluate the data based on the points above must be provided to the data assessors in order to validate whether data sets are compliant.
VMblog: How can organizations handle different types of data streams?
Stobart:
With data flowing into an organization from different sources, it is imperative that every incoming data stream is validated for compliance. Again the six core principles that stored personal data must adhere to must be used to assess the incoming data streams. If data suppliers to a business are not in compliance then a business receiving this data will be in contravention of GDPR, so it is crucial to establish a vetting process of data suppliers.
VMblog: What impact do you think Brexit will have on GDPR?
Stobart:
Although no decisions have been made by the UK government, the expectation is that UK organizations have to still to be compliant. Regardless of where an organization is based, if they are holding personal data on EU citizens then they have to compliant with GDPR. If the UK government do not enter into the GDPR framework, then they will have to negotiate a type of privacy shield agreement similar to the US with the EU. Expectations are that the UK will adopt GDPR.
VMblog: What's the most important thing companies need to do before May 25, 2018?
Stobart:
Appoint a data controller to manage this ongoing project. The data controller needs to be able to work across all lines of business and technology with a remit to implement sweeping changes to meet the necessary requirements.
Review the data they currently hold, validate legitimacy of data and remove data that causes non-compliance.
Implement data protection plans to address potential data loss scenarios such as hard and soft data errors and implement security protocols and techniques for data in both data centres, public cloud and on mobile devices.
##