itnews Australia is reporting on a DLA Piper analysis of GDPR operations within Europe since it came into law in May 2018.
GDPR – the General Data Protection Regulation – is a fairly broad ranging set of laws aimed at ensuring Europeans have a right to understand what data businesses are holding on them, and request their data be erased, too. It’s easily the most far-ranging attempt to hand the right to data privacy back to individuals. GDPR is no laughing matter: breaching it can lead to fines up to 10 million Euros, or 2% of a company’s annual worldwide turnover, whichever is larger. Clearly those large fines are aimed at multinationals, and saw companies like Facebook, who profoundly lack substantive ethics when it comes to customer data privacy, frantically rearranging where and how data was stored for European citizens prior to the introduction of the law.
According to itnews, there were over 59,000 breach reports, ranging from innocuous issues such as mistakenly sending email to the wrong people through to significant hacks impacting very large numbers. You can find the original DLA Piper report that itnews Australia has covered here.
Despite the large number of breach reports, there had only been 91 GDPR fines issued at the time the analysis was written, with most fines being tens of thousands of Euros. The largest fine of 50 million Euros was handed to Google France, though the report notes this wasn’t a personal data breach fine, but rather, where personal data was processed without authorisation for advertising purposes.
But what’s all this got to do with Data Protection as a storage function?
Data protection systems – backup and recovery systems in particular – within a business environment may hold many years worth of data relating to individuals the company has dealt with. So if a customer exercises his or her right to be forgotten, the backup team may very well need to get involved.
It’s something that Dell EMC has been talking about for a while (e.g., this post from June 2018, and this dedicated site), and has seen tightly fitting options provided by companies such as Index Engines. As you might imagine, one of the first exercises you need to consider is getting long term retention data off tape, which impedes the various analysis functions you need to be considering if you’re affected by GDPR.
Analysis is more than just text indexing, of course. It’s also a proper review of what truly needs to be retained. Look at the average retention policies you see in organisations: 13 monthlies for any production backup and 7 yearlies, or 84 monthlies retained for all production backups. Sometimes that even extends into non-production backups. But do all those backups truly contain information that needs to be retained? You might say that GDPR has the potential of fuelling the Marie Kondo moment of backup and recovery: grab the backup tapes, hold them close and ask yourself: do they spark joy? The old approach of just performing LTR backups for systems regardless of whether they’re truly needed or not could possibly be approaching its use-by date.
It’s not an easy journey, as evidenced by the fact the GDPR compliance teams themselves are swamped, but putting the journey off isn’t going to make it an easier one in the future. Eventually, the GDPR compliance teams will get up to speed, both in terms of resourcing and technical capabilities, and at that point, you don’t want to be pointing at a mountain of unmanaged tapes when someone comes to you and says, “John Smith has filed a request-to-be-forgotten“.
To me, GDPR enables several discussions to be held between the business and IT:
- LTR classification: What data truly does need to be kept for long term retention purposes? The defaults – everything, or everything production related – need to be thrown out and replaced with more considered and targeted requirements.
- Data re-use: If we’re going to make this long term retention data more accessible for search and discovery, what else can we do with it? (within the legally permitted framework, of course)
- Anchor elimination: As companies evolve, some will change their backup software and/or hardware. Old systems are often left as ‘anchors’ to the IT department. That approach just won’t work in a GDPR environment, so real conversations can be had about consolidating records and completing the migration from retired products and hardware.
- Documenting adherence: Your business is going to need new procedures around complying to GDPR, and you need to get those procedures codified and documented. If you have to invent the process with each new GDPR request, there’s going to be a lot of wasted cycles in your teams.
The EU GDPR teams may be swamped at the moment, but that won’t always be the case: if you’re working in backup and recovery, you have new duties of care, and you’re in a prime position to become an internal data guardian in a new and exciting way.