michelangelus - Fotolia
- Rich Castagna, Vice President of Editorial
If you think the GDPR is a reference to some Cold War-era Eastern European security force, you may be unpleasantly surprised in a few months. If you know that GDPR stands for General Data Protection Regulation, but think it's just some "European thing," you might experience similar unpleasantness when May rolls around.
The GDPR is a set of stringent rules devised by the European Union that defines how personal data is to be protected and who's responsible for its well-being. Being an EU regulation, it's easy enough to assume it addresses data from the EU's 28 member nations. That's true, but the rules aren't limited to where that data comes from. The EU's GDPR is about who owns the data, who are the stewards of the data and the responsibilities inherent in that stewardship. Even if your company is solidly red, white and blue, and firmly entrenched in the heartland, if you have any EU-based customers, members or other associates from whom you've collected personal data, it's time for a crash course in the GDPR.
For a lot of businesses, the realization is just sinking in that even though they're based in Broken Bow, Neb., they might be virtually a lot closer to Bad Aussee, Austria. Nowadays, as world economies increasingly link and overlap into one giant globally oriented economy, local and even national borders have become quaint concepts. If your company is any part of this comingling of commerce, you need to get to know the EU's GDPR.
Really, the GDPR is a good thing
It might be a case of what doesn't kill you makes you stronger, but the GDPR cloud may ultimately have a silver lining for storage pros. Still, the list of new rules and regulations is intimidating, so it's hard to see the upside.
Given the breadth and detailed definitions of the rules, it seems like the EU is intent on taming the World Wide Web -- or at least bringing some order and accountability to what the wild world of the web has become. There will be plenty of challenges for storage professionals, but the outcome will likely yield far better storage and data management systems.
Rules, rules, rules
There's no getting around it. Complying with the new rules will be difficult for most organizations. It may fundamentally change how they manage storage and their data. It may also change your organization itself, requiring storage, security, networking and other IT teams to work more closely than ever before.
You can get a better idea of the possible consequences and effect on your infrastructure and processes by taking a closer look at some of the key provisions in the EU's GDPR. Several of them are likely to affect storage systems and management and the important concepts of protection, collection and retention.
Get defensive about data protection
The GDPR spells out specific requirements for protecting data, along with setting standards for documenting the processes involved. In describing data protection, the phrase "by design and default" is used, meaning data protection isn't arbitrary when it comes to customers' data, and it's always enforced by default.
For storage managers, this will likely mean you'll start encrypting data at rest if you don't already. And it will also require fairly sophisticated data management that keeps you apprised of where personal data is and how it's being used, so you can ensure it's protected. Get ready to have some serious conversations with your security and networking colleagues to coordinate protection efforts and ensure the various methods used complement one another.
If your protection schemes should somehow fail, resulting in a data breach that exposes personal data, the GDPR has that covered, too; you have 72 hours to provide notifications of the extent of the data exposure.
Gather ye data while ye may
Nowadays, with big data implanted in our brains, the tendency is to keep every last bit and byte of data that crosses the threshold and ends up in storage systems. The EU's GDPR suggests this may not be the best practice, mandating that companies have specific reasons and use cases for retaining personal data. The idea is to effectively limit how much stuff we keep -- and maybe lose sight or track of. In a save-everything world, this will require considerable discipline, along with tools that provide insight into personal data, letting us know what we should or shouldn't keep.
The EU strongly suggests we use some data classification apps that would help do a better job of managing the data we store.
Other GDPR provisions make data classification an imperative. For instance, a customer, member or user may, at any time, request their data be deleted. If you have thousands -- or even millions -- of customers or users, finding all the locations and elements that constitute the specific data that needs to be expunged could be an onerous task if effective and intelligent data management isn't in place.
There's also a data portability provision that allows users to obtain their data from you in a form that lets them provide it to another organization or company. Data management makes that doable.
Light at the end of the tunnel
If your company is affected by the EU's GDPR -- and it's surprising how many are -- meeting its requirements may ultimately be rewarding. There's a good chance compliance will mean you've improved your company's data management and grooming. You'll have the ability to classify or tag data. You'll have search tools in place that let you find specific data quickly. You'll have better-defined archiving and deletion policies in place. And you will have survived the GDPR.