The Storage Admin’s Survival Guide to GDPR
Essential facts you need to know for preparation and compliance
On May 25, 2018 the EU’s new rules covering data protection will come into force, bringing in sweeping changes in the law which directly affect what personal data can be stored, what consent is needed from users, the legal basis on which ‘personal’ data can be processed, and requirements for security and access control; all accompanied by a massive increase in the powers of data protection regulators to take punitive action in the event of breaches.
This blog is designed to give storage admins an understanding of why the new regulation is required, an overview of how it will affect them, and to provide simple practical steps that admins can take to ensure they are ahead of the game before the new regime is applied. Read on and you will learn:
- Why we needed a change in the rules
- What is GDPR?
- The eye-watering new powers for regulators that make compliance a necessity
- Simple steps for storage admins
Why we needed a change in the rules
Last time we had a serious overhaul of laws covering personal data was 1998. In the best part of two decades since then, Moore’s law and progress in storage and analytics technologies have given governments and corporations alike enormous capacity for monitoring the behaviour of private citizens: vast amounts of personal data is being gathered in previously undreamed of ways. 1998 was before we cracked the human genome – now you can get your own personal genetic assay in the post – before the first iPhone, before the internet of things, and before the Big Data analytics revolution. It was a time when Amazon only sold books, before Mark Zuckerberg had reached puberty, when the leading search engine was Alta Vista, and Clouds were things that rained on us.
Today we live in a world where accurate personal data covering our entire lives is routinely bought and sold by corporations and – some would say – snooped on by our governments. Apps on our mobile phones capture and sell data revealing our precise location, our movements over time – the places we regularly frequent – our journeys in cars and public transport, the shops we visit online and off, our friendship groups and relationships via the people that we text, call or otherwise message, our passions and interests from what we post on social media, and our complete internet browsing and search history: if you’ve ever wondered why Angry Birds wants access to your phone log and to know your location – well this is why: ‘free’ apps make money by selling your data to advertisers. Advertisers pool data from different sources (mobile and desktop) to build a complete picture of individuals and to make decisions on whether or not to sell you anything from perfume to health insurance. Two corporations in particular have got so good at it that they now account for a staggering 84% of all online advertising dollars spent in the world: the so called ‘digital duopoly’ of Facebook and Google. If as, Sir Francis Bacon famously said, ‘knowledge is power’, then never in the history of mankind have two organizations exercised quite so much of it: protection for the individual in law from both the state and big corporations has become a pressing need. Scott McNeally may have been right when he said in 1999 ‘you have no privacy’ but voters and their legislators – in Europe at least – simply weren’t prepared to put up with this Wild West of regulatory vacuum, and refused, as he suggested, that they should ‘get over it’. GDPR is far from perfect, and parts of it are murky, confusing, and even arguably politically motivated, but something clearly had to be done.
What is GDPR?
The EU’s General Data Protection Regulation lays down rules covering the storage and processing of the personal data of EU citizens, the profiling of data concerning activities undertaken by them whilst physically present in the EU, and the transfer of such data between different organizations. The rules set out the legal basis on which data can be stored and processed, requires organizations to prevent personal data from being accessed inappropriately or falling into the wrong hands, and provides ‘data subjects’ with new rights over their data.
What constitutes personal data under GDPR: the definition is incredibly broad, and much that was not previously considered ‘personal’ is now defined as such – anything that could be attached to a record to identify or contribute towards the identification of a citizen. This includes name, location data, identification numbers, telephone numbers, email addresses, anything in fact that can be linked back to a specific individual: including IP address and cookie data. Extra weight is applied to physical, physiological, genetic, mental, economic, cultural and social data that is considered ‘sensitive’, and to personal data of children.
What does ‘processing’ mean: any analysis of personal data, any decision making taken on the basis of personal data, whether those decisions and analyses are conducted by machines or humans, regardless of who does the actual processing – you or your suppliers as both data ‘controllers’ (owners of data) and ‘processors’ (those providing services related to data) are covered.
What does ‘profiling’ mean: automated approaches using data to predict an individual’s performance at work, their economic situation, personal preferences, interests, reliability, behaviour or location. Basically pretty much every use your marketing team has for personal data is affected.
Types of organizations covered by the rules: every business and public sector body that processes the data of European citizens, offers goods or services to anyone in the EU, or who monitors the behaviour of European citizens in Europe (not outside). The rules apply whether you are charging for services for European citizens or providing them free. The rules cover you even if you don’t process the data in Europe. And the rules apply whether you are the ‘owner’ of the data or whether you are storing or processing it for someone else. Basically it covers working with the data of European citizens – even if all you are offering is a free website: if you’re collecting or processing or storing the incredibly broadly defined ‘personal’ data of European citizens, the rules cover you.
Mandatory breach reporting: If you detect a hack, or believe that data has got into the wrong hands, you will have a statutory duty to tell the regulator within 24 hours – unless you can show that making this information public makes the situation worse, and then you have a maximum of 72 hours – and the rules are pretty clear that you’d better have a good reason for any delay in reporting.
New powers for regulators:
Regulators like the UK’s ICO – Information Commissioners Office – have previously had limited powers. Data breaches could result in prosecutions leading to fines up to a maximum of £500,000, organisations could be forced to sign ‘undertakings’ guaranteeing their behaviour, and public sector bodies – not private – could be audited without consent. Despite much debate on the topic, there were no powers for custodial sentences. In practise, the fine has been the action of last resort: the annual total of combined fines in the UK has never got much past £3m, and the largest single fine ever handed out didn’t hit the maximum penalty (Talk Talk, £400,000) and this despite the regulator saying ‘failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease’. Gross negligence, the loss of customer data including name, phone number, and bank details, resulting in what adds up to a slap on the wrist.
By comparison the new powers are eye-watering: fines can be levied up to €20m or 4% of global turnover, at the parent company level, whichever is greater. And that parent company level bit is worth noting – if any one company inside of a group has a data breach, the fine can take into consideration all turnover in the group: in the case of a major company like Tesco, the breach in their banking arm could have resulted in a colossal fine: £1.9bn. Not even Google can ignore this kind of sanction.
Steps for storage admins:
First and foremost, compliance with GDPR is a team sport. If your organisation has a GDPR committee, or a company-wide compliance drive, find out what is going on and contribute. It’s going to be a lot easier to join an existing initiative than to start your own – but if you are storing the personal data of EU citizens and there’s no compliance effort in place already you’d best talk to the boss about starting one.
#1. Audit your data.
In the big data era, we’ve been encouraged to hold on to as much data as we possibly can because it might come in useful somewhere down the road for analytics, and often data is accessed by – or written to – by different systems and backed up across a chain with multiple copies of the same records. A lot of data is effectively dumped in cold stores just in case – and previously its quite likely that you worked to the idea of the law potentially requiring that data from you later . . . now if you have no legal basis for holding or processing personal data it might require that you delete it.
Your first step is working out what data you have that is personal – bearing mind the new broad definition of what constitutes personal data – and the chances are that it will. Document what you are storing, where the data is coming from, and what systems are accessing it. Make sure the relevant people in your organisation have been informed.
Have you got employees in Europe? Because if you have, every system that has their personal data in it – their employment records, their pay, their home addresses, bank details, family relationships, residential and email address, telephone numbers and so forth are subject to GDPR. Bear in mind that Brexit is not affecting UK compliance – the government have made it crystal clear that they will comply.
#2 map which applications are accessing and processing personal data.
Its common for different applications to access stored data – in fact its been something of a marketing holy grail in the march towards building a ‘single view of the customer’. However, if your business is processing personal data, you need to ensure it is legal. GDPR provides six legal grounds for legal processing:
- The data subject(s) has given you consent to process their data for a specific purpose only. This has to be informed, and it has to be freely given. Small print is – literally – forbidden.
- Processing personal data is necessary for a contract. Like, for example, running a credit check on someone about to buy something.
- Processing personal data is necessary for another existing legal compliance requirement.
- Processing is necessary to protect the vital interests of the data subject (e.g. medical records by hospital staff).
- Processing is necessary to carry out the duties of public authorities.
- Processing is a necessary part of your business . . . as long as this doesn’t clash with the fundamental rights of the data subject.
The final grounds here, referred to as ‘legitimate interest’ is murky, poorly understood, and will probably require a good deal of case law (companies defending action from the regulator in court) before it is reliable. The UK’s DMA (Direct Marketing Association) lobbied heavily for this – effectively to ensure that large chunks of current approaches to digital direct marketing remain legal, arguing that it is a necessary part of doing business. However, ‘legitimate interest’ clashes with the fundamental rights of citizens:
- Data subjects have a right to demand no processing takes place without informed consent (as before, no burying in the small print).
- Data subjects have a ‘right to be forgotten’ – meaning if they ask, you must delete all data held on them.
This clash makes the final outcome unclear. GDPR asks industry associations to come up with compliance guidance – unsurprisingly with the fines as they are, few if any are quite ready to put their necks on the block with hard and fast interpretations.
If you are in the public sector, you may well find that GDPR is legitimising your use of data and consent is not necessary. If you’re working in an area – like credit cards – where processing personal data like credit history is necessary, ‘legitimate interest’ will stand. If however, you’re supporting marketing systems, a thorough going audit of permissions is going to be necessary – and this is clearly beyond the remit of the humble storage admin and into the hands of the lawyers: do your bit by ensuring the marketers know what they’ve got, where it is, and how different systems are using it.
#3. Check who has access to personal data – and how they access it
GDPR requires organisations to take steps to prevent personal data from falling into the wrong hands – and again to document the steps they have taken for potential audit. Find out who can access or extract stored data, ensure controls are in place so that only authorised personnel can access it, and put in place controls for extraction. It is remarkable how many organisations allow employees to extract data to portable media, ping large files via email or services like Dropbox and to transfer unencrypted files – files which lack even the basics of a password to protect them. The data might be for an entirely necessary purpose – like a slice of customer data for a test development environment: don’t permit it. Look into approaches like data masking (called ‘pseudonymisation’ in GDPR)– do not create situations or contribute to situations where data loss is a risk. Think: encryption, identity and access management. Document it.
#4. Ask: is your storage up to it?
It makes sense to use GDPR as a reason to conduct a thorough going audit of your data storage strategy and processes: opportunities like this to mandate change don’t come along every day – and the potential fines and action from the regulator deliver a sound business case for investment.
As of May 25 2018, GDPR will be in force for all organisations who process the personal data of European citizens, be they public or private. The data protection regulators will have enormous powers to enforce the rules and to punish those who break them – enough power to make even the mightiest of corporations pay attention: non-compliance is simply not an option.
If you take steps now to ensure that you are moving the right direction, you are in time to ensure that you are on the right side of the law – if you sit on top of potentially serious issues you could be putting your organization at sever risk.
We hope this has gone some way to giving you a basic grounding in why the law is changing so sharply, and the part that storage admins have to play in getting ready for the new era of data protection GDPR will engender.
Clearly, becoming compliant is very much a team sport: storage admins are not going to deliver compliance on their own. They do however, have a critical part to play in joining the new business culture and processes that are required.
Want to storage more for less then checkout suse.com/storage