GDPR Simplified: Distilling Its Significance on Infrastructure
The rise of data breaches and tightening privacy regulations have exposed vulnerabilities, inadequacies, and gaps within many IT teams and infrastructure.
The General Data Protection Regulation (GDPR) represents an ebb tide of unprecedented proportions, exposing the brittle infrastructure and lack of nimbleness for many organizations. A Thomson Reuters survey revealed that a year since GDPR went into effect, 79 percent of global businesses are either failing to meet regulatory requirements or are having trouble keeping up to date with GDPR.
Failing to meet these requirements can mean steep fines. Non-compliant businesses can be fined up to €20 million or 4% of worldwide annual revenue—whichever is higher. A key reason why organizations are struggling to meet GDPR requirements is the need to rethink data management in a profoundly new way.
The Seven Principles
GDPR codifies data privacy laws across all European Union member countries and is applicable to any citizen or resident of the European Union and for any company doing business with a resident of the EU. It’s a landmark bill that lays out a comprehensive framework for enabling greater transparency and privacy for consumers. The collection of requirements follows a narrative around the data controller and the data processor and their obligations to ensure data privacy for the consumer. It’s a set of 99 articles but each is predicated on one or more of seven core principles (Article 5.1):
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
These seven principles are laid out towards the beginning of the regulation and govern everything that follows. These governing principles fundamentally impact much of IT infrastructure and processes in place today. For enterprise IT, these principles can be distilled into three major themes: data protection and integrity, risk minimization, and gaining more control and visibility on data.
GDPR mandates that organizations not only be more transparent and fair in collecting data, but also to protect data held. A key theme is about being able to process data securely. In those lines, GDPR Article 32 directly states that organizations should “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”
Article 32 makes it clear that data processing is more than ensuring the confidentiality of data but ensuring the entire data management strategy is comprehensive. This includes structural initiatives such as documenting processes and enabling organizational awareness. This also includes ensuring the technical strategy incorporates resiliency, availability, and integrity.
Article 32 makes the case that securely processing data is predicated on the ability to recover from disasters and human error quickly: “[companies should have] the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
These aspects of GDPR provide a clear rebuttal to the fallacy commonly attributed to the regulation. Make no mistake, GDPR is more expansive than a discussion about personal identifiable information (PII).
For a long-term technical strategy, it’s critical to invest in a comprehensive disaster recovery solution and be able to predictably recover data. To ensure compliance as well as business continuity, it’s important to be able to recover quickly, at scale, and consistently.
Data should also be held securely. WORM—write once, read many—is a paradigm that describes a data storage device in which information, once written, cannot be modified. This protection mechanism makes sure data cannot be tampered with. Once attributed to physical storage technology, modern data management solutions provide the same paradigm, making their backups and data immutable from threats such as ransomware.
Privacy by Design is often discussed with regard to data protection and GDPR. It involves technical and organizational measures that make sure companies only process the data absolutely necessary for the completion of its business and limit access to personal data to only relevant employees.
Article 25 references tangible steps that can be considered Privacy by Design approaches: data minimization and pseudonymization. Organizations do not have to compromise business objectives when taking steps for compliance—they just need to view data management holistically.
Consider dev/test environments. Using synthetic test data for application development solves issues related to GDPR, however, a compromise here prevents developers from realistic testing scenarios. As a result, the quality of the software takes a toll on the customer experience. Instead, limiting data sprawl and the footprint of test data, along with integrated data masking and role-based access control, gives your team the best of both worlds. This way, you can enable both customer privacy and customer experience.
Greater Control and Visibility
Control is the defining theme of GDPR. The regulation gives more control to individuals over their personal data and as a direct corollary, pushes businesses to have greater control over their own data management processes and infrastructure.
Articles 24 and 28 pushes the data controller and processor, respectively, to know the entire scope of data being collected and processed. Under this article, the following questions are just some that must be addressed:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
These articles revolve around the ability of organizations to have a complete understanding of data under their management. For many enterprises operating at scale, this is a real challenge, owing to factors such as mass data fragmentation.
Consequently, GDPR pushes for promptness. In the case of a data breach, an organization must report the incident to those affected within 72 hours. In the case of a Data Subject Rights (DSR) request to access their data, an organization must be able to provide that information within one month. Limiting data sprawl is the first step to gain more visibility and control into data. The second step is gaining the ability to manage data on a global scale. Taking these steps helps companies operating at scale to be more nimble and compliant.
GDPR and Infrastructure
Two years after GDPR’s advent, organizations are still struggling to meet the regulation’s requirements. A core roadblock in their way is the need to rethink their data management strategy. The regulation proves more expansive than just a bill to protect PII. Its principles provide a framework for IT teams to ensure data integrity, reduce risk, and gain greater control over their data.