The clock is ticking, and its alarm is growing louder.
By May 25, 2018, organizations that collect data on citizens in European Union (EU) countries will need to comply with strict new data protection rules. Although the General Data Protection Regulation (GDPR) establishes a new standard for consumer data rights, it also challenges enterprises to create compliant storage systems and processes.
If your organization hasn't yet completed its GDPR backup and storage compliance strategy, here are five key steps you need to take today.
To comply with GDPR backup and data storage requirements and assess privacy risks, organizations need to map their data and information flows.
Accurate and detailed application-to-storage mapping ensures that any application can be mapped to the physical storage, whether a LUN file system or object store is used. It's also important to ensure that backups can be associated back to an application.
GDPR places personal data protection accountability squarely on the shoulders of the organization that's collecting and storing information on EU residents.
GDPR is also designed to ensure data accountability. Your organization will generally comply with this GDPR backup and data protection requirement if it can supply answers to these questions:
- Why did it acquire the data?
- How is the data being stored?
- Why is the data being stored?
- How long will it plan to keep the data?
- In what ways is it protecting the data?
- Does it plan to share the data with third parties?
- For what reasons might it share the data?
Nicholas Merker, partner and co-chair of Ice Miller's Data Security and Privacy Practice, walks users through the EU's new data protection regulation.
Evaluate your current data protection measures
GDPR or not, it's important to ensure that strict rules are in place to govern data access. Audit logs will help you to pinpoint possible data breaches and take any necessary corrective actions.
The data breach response process is an important element of GDPR, as an organization needs to be ready to report on breaches within 72 hours. Noncompliance with this regulation, as well as any other piece of GDPR, could result in large fines.
Assess your current search capabilities
One of the cornerstone goals of GDPR backup and data protection is an individual's "right to be forgotten." To comply with this mandate, ensure that search, change and delete-data-on-demand capabilities are available and fully operational.
TechTarget's Antony Adshead talks to Mathieu Gorge of VigiTrust about personally identifiable data and the right to be forgotten.
You should also be prepared to provide EU-based customers and other users with a complete list of personal data your organization processes or stores, as well as the legal basis for storing the data. And remember that backups of an individual's data need to be deleted as well, upon request.
Transition from tape
If you're currently creating tape backups, GDPR provides a great reason for moving to a cloud archive, since searching for specific data stored on tape, should the need arise, is both difficult and time-consuming.
Since tape is a linear recording system, it is not good for random access. However, tape is inherently offline, so it provides good protection in the event of a ransomware attack.
Learn what counts as personal data under GDPR