The General Data Protection Regulation (GDPR) is an attempt by the European Commission (EC) to unify data protection compliance in European Union (EU) member states with a single law.
The EC, with the EU Parliament and Council, have committed to finally conclude talks on its content this December, with implementation to follow two years later.
The rise of cloud computing has complicated regulations around data storage, globalising what was once a very local process. The new law will seek to bring clarity to this modern-day issue, as well as protect users of now-ubiquitous digital services.
A designated Data Protection Authority (DPA) will monitor each company in the UK, while non-European businesses that gather, process or store personal data in the EU will also have to comply with the regulation.
The GDPR defines personal data as any information that relates to an individual’s private, professional or public life, including email addresses, social media posts, medical information and bank details.
>See also: EU Data Protection Legislation: what about employee data?
The most publicised element of the impending law has been its punishments for non-compliance: up to €100 million or 5% of worldwide turnover, whichever is greater, which far exceeds current penalties. What has been less discussed, however, is exactly how it will affect the way in which organisations store data.
According to CA Technologies’ director of government relations, Christoph Luykx, the GDPR will have a strong impact on how organisations collect, store and handle data.
‘Companies will need to ensure that they build the right security measures around the information they store,’ he says, ‘which could involve introducing clear rules about access to stored data and mechanisms to authenticate people who have access to sensitive information.
‘The GDPR will also drive a stronger focus on data breach notifications and implementing dedicated data security measures across organisations.’
If companies transfer and store data in locations outside the EU, this will still be possible under various legal mechanisms, such as binding corporate rules (BCRs).
In addition, the current US-EU Safe Harbor agreement is currently subject to discussions between both sides on how to strengthen and improve data transfer between countries.
If an organisation is servicing multiple EU countries but is not based in the EU, it could be interested in the one-stop-shop mechanism, whereby it deals only with the authority of the member state in which it establishes itself if a data breach occurs that affects multiple countries.
In the same case, if the organisation is not established in the EU, it would need to deal with all the authorities of the countries involved.
‘Many US companies are already establishing EU operations and headquarters in Ireland, Luxembourg and the Netherlands to comply with this new mechanism,’ says Vijay Mistry, VP operations at Digital Realty.
Privacy by default
Much of the regulation is about ensuring that personal data is stored with consent, for a specified purpose and for a duration that is in keeping with the reason for obtaining the data in the first place.
There are two key elements of the GDPR that will directly influence how organisations purchase and implement data storage equipment: ‘data protection by design’ and ‘data privacy by default’.
As such, it will become a priority for IT teams to design and architect data storage facilities with protection and privacy at the core. ‘It is fair to say that all elements of the proposed regulation impact upon how organisations store data,’ says Martin Warren, cloud solutions marketing manager, EMEA at NetApp. ‘Easy data access, portability and manageability are important aspects for compliance.
‘For companies using or working towards a hybrid approach to IT, using storage that is overlaid with software that makes the entire storage environment work as a single entity – whether on-premises or off-site – is important.’
This means that data, no matter where it is stored, can be easily accessed and managed. And good data management will also be integral.
Lillian Pang, director of legal at Rackspace, adds, ‘Although provisions in the GDPR such as Article 20 (Profiling) are relevant for purposes of how data is stored, the circumstances in which an individual may opt out of profiling places the onus on the organisation to ensure that they have the capability to suppress and delete such personal data.’
Compliance may require extra investment in data systems and storage if an organisation is servicing multiple EU countries but is not based in the EU. However, it generally depends on the business model of the company.
‘In general,’ says Mistry, ‘the new law will be more restrictive in terms of obligations for processors and controllers, and this could entail additional investments to ensure compliance.’
That thing EU do
The GDPR doesn’t explicitly prohibit storing data in the cloud – or transfers of data in clouds outside the EU – but it does require organisations to pay more attention to what data will go in the cloud.
Organisations will have to look closely at their suppliers and consider where they host their data and if they have the right transfer mechanisms in place, such as BCRs.
Companies will also be required to assess the benefits of using in-house models against cloud services.
‘In a number of cases, the use of cloud services may help improve organisations’ current data storage arrangements, especially in the area of data security,’ says Luykx.
Data that is stored in the cloud must be in a format that facilitates easy portability and a ‘right to erasure’, and the pressure will be on cloud service providers to develop, design and enhance offerings that meet the principles of privacy by default and data minimisation.
Under the new regulation, all parties involved with personal data are liable should a breach occur, so this can be both the company and its service provider.
However, companies can rest assured that this joint liability means that it is in a cloud provider’s best interests to ensure they are compliant. ‘They will be held to the same standards and fines as the company that hired them,’ says Warren.
Nonetheless, cloud users will have to ensure through due diligence that the services they purchase meet the requirements and principles of the regulation, which will necessitate an extensive amount of training across the infosecurity workforce.
The only chance of compliance with GDPR is for anyone involved in commercial data storage – from data controllers to processors – to be given a common understanding of best practice in cloud security.
‘The best way to achieve this,’ says Dr Adrian Davis, European MD at non-profit infosecurity organisation (ISC)², ‘is for the industry to develop an international gold standard for professional-level knowledge in the design, implementation and management of cloud environments.
‘This should be developed by consultation within the industry and would define and standardise best practice across cloud hosts and tenants alike.’
Regardless of these challenges, the GDPR is unlikely to put organisations off storing data in the cloud.
Technology growth is rarely, if ever, dependent on legislation, and trends like big data and the Internet of Things will continue to require the scalability and efficiencies that cloud services provide.
‘Storing data in the cloud is only the beginning of the challenges and complexities that technological development will create for legislation,’ says Pang.
Age of consent
When it comes into effect, a major focus of the GDPR is the idea of people giving explicit consent for their data to be used.
From companies needing to state explicitly the data they are using to the ‘right to be forgotten’ being formalised, this may well result in some data being removed at the request of the individual or the removal of personally identifiable information (PII) from databases.
The ease of doing such a task relies heavily on the way in which the data is controlled and managed at individual organisations.
However, according to DataSift’s chief product officer, Tim Barker, the difficulty of removing data in a timely manner is ‘far outweighed by the potential repercussions of not doing so’.
Most worryingly, the majority of organisations in the UK seem to be distinctly unprepared for the changes.
A recent survey of European organisations by Ipswitch found that 35% of respondents didn’t know whether their IT policies and processes were aligned with GDPR compliance or not.
‘There seems to be a real need to educate around the GDPR in the UK, with many people still unsure just what it means and how it will affect their organisation,’ says Barker. ‘For businesses holding data, such as marketing and human data platforms, not fully understanding the new law could in itself prove costly.’
Another survey by (ISC)² – the largest ever conducted on the infosecurity workforce – found that 68% of those in telecoms, 60% of those in utilities, 55% of those in banking, 50% in government and 40% in defence say cloud security remains of paramount concern.
The survey indicated that UK organisations lack confidence in their ability to protect data in the cloud to the necessary standard, and are likely to be caught off-guard by the degree of cloud security skills that the GDPR will demand.
‘We have seen evidence that UK organisations may be in for a shock by the time the regulation comes into effect, particularly with regard to storing data,’ says Davis. ‘Many infosecurity professionals lack the skills to comply.’