Data privacy came sharply into view in 2018 when in May the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect. The data protection components of the regulation are challenging enough, but GDPR added a new wrinkle, “the right to be forgotten,” which states that an EU citizen has the right to know what data of theirs an organization is storing and why or how it is using that data. GDPR also provides EU citizens with the right to ask (demand) organizations that store their data to remove all traces of their personal data from their servers.
GDPR and data privacy, in general, looked like a problem for EU based companies. For the most part, most US companies ignored the problem, but toward the end of the year California passed the California Consumer Protection Act (CCPA), which goes into effect January 1, 2020, and requires companies doing business within the state to comply with legislation that is very similar to GDPR and in some areas even more restrictive. Other states are in the process of enacting very similar legislation.
Given the data privacy trend, organizations need to quickly put policies in place that allow them to manage their data better and to comply with regulations like GDPR and CCPA. The penalty for not complying is too high. The good news is that a robust data management strategy helps the organization in other ways beyond just complying. Organizations with a robust data management strategy can reduce storage costs, increase storage efficiencies and better mine their data for future use.
Data Privacy Starts with Data Understanding
The first step in creating a data management strategy and charting a course to complying with data privacy regulations is to first understand what data the organization is storing. Without a basic understanding of what data it is storing and what information that data contains, the organization has almost no premise on which to build an effective strategy. The organization should look for software that can help them organize their data and provide insight into its contents.
Unstructured (file) data is the prime target for data privacy regulations, and it is also the hardest on which to gather the required information. The data protection process, which also needs to occur to comply with regulations, is an excellent point of leverage. Data protection software can add the capability to provide insight and management while it is protecting the data. Alternatively, third parties can leverage and read the backup stream. In both cases, the data is brought to the process instead of requiring a separate crawl of the organization’s file systems.
Once the solution protects data and provides insight, the organization can determine which type of data it has and then set policies as to how to manage it. Vendors and organizations are spending too much time trying to identify data with personal information in it like credit card numbers or social security numbers, but the right to be forgotten also means that the organization needs to identify data by the user or owner of that data.
The Right to Be Forgotten
We detail the challenges with the right to be forgotten in our recent eBook, “GDPR IS FOR EVERYONE – Designing a Data Privacy Infrastructure”, which you can get by registering for our 15-minute webinar “Talking GDPR and CCPA.” In the eBook, we discuss how the right to be forgotten, causes challenges for backup data. Backup software often stores backups as large blob files for each job rather than as individual files. That makes removal or “forgetting” a specific sub-component of the backups a very real challenge. Backup software vendors are going to need to change the way they store backup data and become less job-based, or they are going to need to develop “delete on restore capabilities” were the software automatically deletes data to be “forgotten”, in-line during the restore process.
2018 was the year that data privacy came into view and organizations were forced to start paying attention to what data they stored and how they stored it. Complying with these regulations is fundamentally a data management problem. For 2019, organizations need to seriously consider a formal data management strategy and look for solutions that help them not only maintain compliance but also prepare themselves for stricter future regulations.