GDPR 2 Years In: Achieving GDPR Compliance 2 Years On

The General Data Protection Regulation, or GDPR, that went into effect almost exactly two years ago – May 25th, 2018 — was designed to protect the identities of users. It mandated that user data (or personally identifiable information, also known as PII) cannot be utilised by organisations without their explicit consent. PII is not just names, phone numbers, or bank accounts, it is anything that can identify a person, including IP or MAC addresses.

The regulation aims to give users control over how their data gets used, to build confidence with consumers that their data is safe and demands accountability from organisations on how personal data is processed and protected. In summary, it is about users being able to trust enterprises with their data. GDPR is the most comprehensive regulation to protect consumers by holding companies to a higher standard of security for personal data and to in still stricter security controls and audit measures. While the intent of GDPR is quite positive, many businesses are struggling tohit the compliance mark. Why? Let’s look at one of the key culprits: mass data fragmentation.

Mass Data Fragmentation: What is it and why does it make GDPR compliance so challenging? With increasing threat of cyber-attacks and ways in which data can be stolen, companies large and small are finding it difficult to keep their data safe and to meet GDPR policies.

More than 80% of all data within an enterprise sits in backups, archives, object stores, filers, and test/dev environments. This data, sometimes called secondary data, lives in siloed infrastructure that is spread across multiple point product and locations, including on-premises and in public cloud infrastructure.

In a survey of over 900 senior IT decision makers conducted by Vanson Bourne, the results showed that 87% of respondents acknowledge that secondary data is fragmented and becomes impossible to manage long term, 63% have 4-15 copies of the same data and 85% store data between 2-5 public cloud platforms. These statistics raise major questions for organisations globally: If they have all of these data copies, how can they possibly know what PII is in those copies? And, if those copies have been replicated to a host of public clouds, who is keeping track of what PII is where?

As you might imagine, due to this enormous data sprawl and lack of visibility, it is nearly impossible for the IT owners to locate and take corrective action on so much personal data that they might have within their environment –because they don’t know what data they’ve got and where it’s located. At the end of two years of GDPR, there is adequate evidence that organisations have struggled from lack of resources and the sheer complexity of handling of data to ensure compliance.

How to simplify GDPR compliance with the following capabilities

• Consolidate secondary storage: Consolidate target storage, backup software, files, objects, test/dev copies, and analytics data on one web-scale platform. By consolidating secondary storage, companies don’t copy data multiple times across point appliances. Data governance, security, search and analytics become a lot simpler when done on a single platform.
• Secure data against unauthorised access: Under GDPR rules, encrypting data and storing the keys in a separate location is considered equivalent to pseudonymization of personal data. Choose a platform that provides full support for pseudonymization using encryption keys. In addition, fine-grained Role-Based Access Control (RBAC) ensures that only authorised users have access to the data.
• Protect against data loss and ransomware: Provide erasure coding and replication to ensure data resiliency within a cluster. Data is protected in immutable, automated snapshots to protect against data loss and ransomware. Data can also be replicated and archived to tape or cloud to provide off-site data protection.
• Automate data retention periods: To comply with data minimisation requirements enable backup administrators to specify data retention periods with automated policies. Data can be automatically retained and deleted or expired based on these policies.
• Identify personal data with search and analytics: Under GDPR, individuals have the right to request the erasure of their personal data from the company’s systems. In these situations, companies first have to identify all instances of that personal data across secondary storage. Index all file and VM metadata upon ingestion in the system, enabling global Google-like search to quickly identify individual files.
• Manage and secure data across multi-cloud environments: Many customers are using or plan to use the public cloud for data storage. Yet GDPR restricts the list of locations and providers to which personal data may be sent. A platform that enables users to replicate data across clusters and to the cloud, and archive data to the cloud or any NFS and S3 compatible storage. Ensure simple control of data location across multicloud environments, and the data in the cloud can be encrypted, indexed and analysed to enable GDPR compliance regardless of location.

Two years after GDPR came into effect, businesses need to take further steps to address challenges in handling data to achieve compliance and benefit from digital transformation. In a challenging and competitive marketplace, companies that learn to manage their data more effectively can reap rewards, including fewer compliance risks, better competitive positioning, happier employees and reduced turnover.

By Andrew Fitzgerald, Sales Director for Western Europe and Sub-Saharan Africa, Cohesity