Infrastructure’s role in GDPR compliance

The General Data Protection Regulation (GDPR) deadline is fast approaching and with 4 per cent of an organisation’s global revenue at stake, should a breach occur, every commercial entity needs to be concerned and actively building out their compliance plan if they are not yet at the ‘ready’ stage.

It is not as if organisations have not already been storing data effectively before this, as the technologies have well matured from the tape days, and even moved on from disk for tier one data. But GDPR is set to bring the biggest shake up to how personal data is stored, accessed and deleted and IT infrastructure teams for organisations in Europe and further afield must be fully involved in the process to ensure organisations are compliant. Storage has a key part to play and has been rather overlooked in the orgy of data governance advice shared with organisations in the run-up to the compliance enforcement deadline.

The regulation provides explicit definitions on personal data, how it can be used and how it should be protected and managed, both virtually and physically. As the majority of customer data is processed via on-premise or cloud-based servers, and accessed across the network, IT infrastructure teams must know where each and every packet of customer data is and how it’s being accessed, otherwise organisations could be in violation of the regulation. After all, the regulation’s primary intent is to establish processes for the protection of personal data.

However, unbeknownst to many, the concern of physical infrastructure extends beyond an organisation’s data centre. It includes hosting services, managed service providers, colocation facilities, SaaS vendors and virtually any XaaS vendor. If your organisation holds personal data and works with one of these services or partners, it will be held accountable, regardless of where the data resides. So it’s important to know where relevant data resides and what assets connect to it.

According to the regulation vendors like these must also meet the strict requirements but, more importantly the organisation and vendor must have a contract outlining their data protection agreement. Not having one indicates that your organisation doesn’t know what your partners are doing with your user’s data.

This introduces a fundamental management problem around the infrastructure organisations are using and how they’re handling data. They need to be actively building out the compliance plan, as GDPR requires organisations to know all aspects of how vendors operate, from their security framework to how they manage data. In absence of that knowledge, businesses don’t know the risks they present, and how that can impact future revenue.

But, how can your IT infrastructure team keep track of all this data and the assets and infrastructure that support it? This is where data centre infrastructure management (DCIM) comes in.

DCIM can enable organisations to track data within the physical and virtual IT infrastructure and show how it is transported and stored as well as show who has interacted with it, giving the business or whoever else needs to see a clear view of how it’s being handled and safeguarded. But, when looking for a DCIM provider, not all offer the same services. When in discussion with a provider, ask:

  • Can you tell where the critical data is located, geographic location, devices servers/storage/network?
  • Can you identify where the data is replicated, geographic location, devices servers/storage/network?
  • Do you have a suite of security tools should they need to be deployed on identified devices – and enabled?
  • Can you give data breach notifications i.e. what “data subjects’” data ran on what assets?
  • Have you the capability to identify secondary infrastructure locations for the safe handling of data across borders?

Also, a DCIM software provider must be able to support a business with onsite and offsite training. Like with any software or system, simply installing a DCIM solution and turning it on won’t solve all the challenges ahead. It’s imperative that your workforce is educated from the top to the bottom, creating a universal understanding of the importance of safeguarding data and the impact that not upholding it could have.

When it comes to managing data centres and hybrid computer infrastructures, ensure the solution you choose has proven expertise to eliminate the risk of sanction, not only the upcoming GDPR regulation, but wider regulations – as ultimately, the fines for flouting rules will be the least of your problems if customers and partners lose trust and vote with their feet…

 

By Mark Gaydos, Chief Marketing Officer, Nlyte


GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/