By now, most companies who do any business in the EU are aware of the General Data Protection Regulation (GDPR), which goes into effect in 2018 and applies to any entity doing business within any of the 28 EU member states. Not only does the GDPR apply somewhat broadly to “monitoring the behaviour” of EU residents, but it also comes with some hefty fines (up to €20 million, or 4% of worldwide turnover) for companies that violate the regulation. In short, the new regulation is going to require companies to implement entirely new processes and procedures around the collection and storage of personally identifiable information (PII), which will likely result in changes to data storage solutions as well.
The GDPR defines PII as any information that relates to a EU resident’s private, professional or public life (that is, banking information, medical information, email addresses, social media posts and so on), and a lot of the regulation goes into making sure that this PII is not only stored with a person’s permission, but that it’s also kept for a specified purpose and for a duration that makes sense, given the initial reason for obtaining the data. So, if a customer signs up for a product warranty, and the warranty is good for three years, the company would need to get the customer’s explicit permission to use his or her PII for marketing campaigns or to keep that data beyond the three-year warranty limit.
Under the GDPR, companies will need to build controls regarding security roles and levels in regard to data access, and be able to provide tight data-breach mechanisms and notification protocols. Data transfer between countries is also covered in the GDPR. But these are, generally speaking, process controls. As such, they probably will have little impact on your infrastructure. The two main points within the GDPR that have the most potential for directly impacting your data storage solution are “data protection by design” and “data privacy by default”.
Basically, if your company plans to transfer data within the EU, you have to design a storage solution, whether in-house, in the cloud or a hybrid, that is both easy to access and easy to manage, and that has privacy and protection designed into its foundation. This becomes even more challenging if you are transferring data to multiple countries in the EU from outside the EU. The point being that you will need to understand your internal controls, infrastructure and data architecture as well as that of any external partners or service providers, and make sure that your storage solution is balanced appropriately between investment and GDPR compliance.
It may sound daunting, and the GDPR is going to require you to think about the benefits of cloud versus in-house solutions. Your data will have to meet the principle of privacy by default, be in an easily portable and removable format, and meet the data minimization principle. But because liability of the new regulation falls on all parties, thereby motivating cloud providers to have robust compliance solutions in place, it actually could be a simpler, less-expensive route to look at a cloud or hybrid solution. In many cases, going to a cloud solution could improve your security while reducing your costs and risk, especially when dealing with experts in cloud storage, like IBM.
Regardless of the route you choose, the GDPR presents a new challenge for anyone wanting to do business in the EU. The best approach is to deal with it before 2018, when the regulation kicks in.
Learn more about Data Storage & Data Security