Many IT Planners look at the European Union’s (EU) General Data Protection Regulation (GDPR) as a distinctly European problem. The reality is the GDPR and regulations like it, impact businesses around the world. GDPR impacts any business that does business in the EU, and many countries are adopting legislation that is very similar to this regulation. In the US for example, California recently passed the Consumer Privacy Act, which has much in common with GDPR.
From a data perspective, GDPR and similar legislation make two processes critical within an organization; data protection and data retention. Unique to these regulations is the focus on the protection and retention of data belonging to users and customers even after those customers have signed a usage agreement.
The data protection components of these regulations are straightforward. They require that the organization must protect all customer and user data and that it must all be recoverable. A challenge in these regulations is their use of language like “in a timely manner”, but they don’t define what “timely” means.
Understanding Data Retention and Privacy
A data retention policy defines how long an organization will keep data. Data privacy defines how an organization will ensure who has access to the organization’s or a users’ data. Regulations like GDPR present a new challenge to data retention and privacy policies. These regulations allow the user or customer to demand that an organization remove all data that it may be storing about the user or customer.
Often called “the right to be forgotten”, these policies are essentially retention policies in reverse. The organization, instead of making sure it always stores a copy of data, now has to make sure that it removes and never stores another copy of that user’s data again. It has to redesign its backup architecture to respond to requests like “delete John Smith from every backup and archive.”
The Problem with Backup and Data Privacy
Executing a data privacy request requires an organization to have granular detail of the data it stores. The problem is that most backup solutions, for years, have protected data in bulk. In most modern backup applications organizations use today backup data is stored as an image of a volume or a server. Image backups are more efficient at data transfer than most other forms of backup, especially when protecting hundreds of thousands files. While most data protection solutions can extract individual files from an image backup, searching across multiple image backups for every instance of a particular group of files is almost impossible.
The Problem with Data Management
The granular, discrete access to specific sets of files and making sure those files are retained, or not, is typically the responsibility of a data management or archiving solution. The first problem with counting on a data management solution to enable an organization to comply with GDPR like data privacy demands is most organizations don’t have a data management solution. These organizations count on backups for their data retention needs, which won’t meet the GDPR requirement. The second problem is that data management solutions don’t provide data protection so the organization has to implement, manage and monitor at least two separate solutions.
Data Management with Integrated Protection
The answer for organizations is to look for solutions that integrate data protection and data management into a single solution. The solution will still need to provide very rapid backup performance while having the granularity to search across those backups to find specific data patterns that need to be either retained for a long period of time or deleted.
In our next blog, solving “The Right To Be Forgotten” Problem”, we’ll discuss how organizations can address the this problem and how data management and data protection software needs to change to better meet these demands.