The growth of data privacy regulation around the world is changing how companies store data. But what if something that has to stay the same is your on-prem data center?
This article will cover data privacy in the data center, looking at both the drivers keeping personal data on-prem, the challenges to meeting data privacy regulations in the data center, and show how NetApp Cloud Data Sense’s new support for NetApp appliances and on-prem databases can massively reduce the burden of compliance for on-prem deployments.
Why Some Data Needs to Stay On-Prem
Reasons for Data to Stay On-Prem
- Public sector guidelines
- Performance concerns
- Specific expertise on premises
- Barriers to migration
There are a number of different reasons why companies may choose not to move data to the cloud. While these reasons are primarily due to business concerns, any personal data that is stored on-prem is going to need to stay compliant with the growing number of private data regulations in force today.
Let’s look at some of the main reasons why companies choose to remain in the data center
Public sector guidelines
Data localization can be a factor for a number of reasons. Some localities require data to be protected in redundant format, specifically using on-prem machines. There are also some regulations, such as GDPR, which limits the transfer of data out of a specific region. That can be limiting for cloud deployment, and make staying on-prem more attractive.
The highest performance for your data is using the machine closest to the data. In the cloud, there are high performance options available, but some companies may not want to lose the superior performance that having data and compute on the same in-house appliance provides.
Specific expertise on premises
Knowing the system that is in use is a tangible business asset. Retraining an entire IT department to work in the cloud when a migration takes place can be a significant cost factor, one that will also require significant amounts of time away from other projects. For some companies, that’s too much time to ask.
Barriers to migration
There are also situations where existing extensive on-prem infrastructure, storage performance requirements, or the sheer volume of data is keeping storage on-prem. A move to the cloud for such companies is still too daunting.
Whatever the reason a company decides to stay on-prem, data privacy regulation compliance is complicated and requires staff resources. Some enterprises even have whole departments tasked with maintaining compliance.
Data Privacy Challenges in On-Prem Data Centers
The confounding of data privacy and data protection is quite common, and though related, they are not the same. Data protection deals with safeguarding alldata (including personal data), whereas data privacy deals with the fair and proper use of personal data.
Data privacy regulations around the world, such as GDPR, CCPA, Protection of Personal Information Act (POPIA) in South Africa, and Lei Geral de Proteção de Dados Pessoais (LGPD) in Brazil are all designed to prevent the unauthorized collection, processing, or sale of personal information.
These regulations define what information about a person (data subject) would be considered personal data. These can include how personal data is collected, processed, and stored, the length of time such data is retained, whether and how third parties can access personal data stored by a company, and the rights data subjects have to see the data stored about themselves and revoke the use of that data.
On-prem data centers generally contain file shares for users and department data storage, databases, and internal applications, some of which will hold personal data. And this infrastructure may be shared by different departments with different policies on where and what is stored.
The main issue for any organization is identifying which data can be classified as Personal Identifiable Information (PII) and finding out where that PII is stored. But with different departments keeping data on shared infrastructure, it can be hard to obtain an accurate picture of data location, especially without a central register of what is stored.
Consider that in order to respond to a single data subject access request (DSAR), it could take an admin several days just to search all file stores and relevant databases for the information needed to even begin to compile an accurate report. GDPR states that such requests need to be answered within a month. How many DSAR requests would take a month of one worker’s time?
The risks of failing to meet these challenges are real. While not related to compliance with DSARs, the most significant fine given for violating privacy regulations so far has been the €50 million fine issued to Google in 2019. Still, most people are not aware of the large number of smaller companies that are fined each year. In 2020 alone, 300 GDPR breaches resulted in fines, a trend that is increasing.
NetApp Cloud Data Sense
One way that companies with on-prem deployments can stay on top of their sensitive private data is with NetApp Cloud Data Sense. In addition to its cloud capabilities, NetApp Cloud Data Sense now connects to on-prem file storage, object storage, and a number of different databases including SAP HANA, MongoDB, PostgreSQL, MySQL, and Oracle. Cloud Data Sense works by scanning structured and unstructured data for specific types of data that could be considered personal data, maps where it is in your repositories, and categorizes that data in easy to read reports.
Cloud Data Sense classifies the documents by different sensitivity levels and then categorizes data and documents by type, such as resume, medical, and legal.
The AI-driven algorithm uses metadata extracted from documents and data discovered by Cloud Data Sense to identify different personal data types, which it maps to objects, such as name, email address, and social security number. Finally, Cloud Data Sense uses contextual language processing to identify information that different regulations classify as sensitive and stores this information in a centralized catalog. This can be valuable in meeting GDPR’s data privacy requirements.
The information viewable in web-based dashboards shows an overall status of personal information in the data center environment. The dashboard has many options to drill down into results for more detailed information on specific storage, category, or sensitivity.
As well as the handy dashboards showing where your sensitive data is stored and classifying it, NetApp Cloud Data Sense produces PDF reports to help demonstrate and perform compliance responsibilities in line with different regulations. These reports include:
Privacy Risk Assessment Report: This report provides an overview of the discovered data in your repository.
PCI DSS Report:The PCI DSS Report helps identify credit card information in your repository. The report includes the percentage of credit card information encrypted, protected from ransomware, and how long since the data was modified.
HIPAA Report: The HIPAA Report helps identify data that may contain health-related information. Cloud Data Sense reports on data that have patterns matching standard medical coding or reference terms. The report breaks down where Cloud Data Sense found the medical data, whether data is encrypted or protected from ransomware, and how long it has been unmodified.
DSAR Response: The DSAR response creates a summary form of the identified data held on your systems about a data subject, and once the optional fields are complete, the report can be sent as a response to DSAR requests.
While the on-prem data center may be seen as less risky than the cloud, when it comes to data privacy and complying with the new regulations that govern data privacy, such deployments can pose challenges in and of themselves.
Using Cloud Data Sense can save you serious time and money when it comes to identifying certain personal information. With its abilities to discover information that could affect your compliance stance now available for use with ONTAP systems and a range of databases, on-prem deployments now have a way to to identify certain sensitive personal data, highlight potential compliance issues, and create reports to share with relevant data stakeholders to demonstrate data privacy compliance.
Improving compliance program automation can affect your bottom line, build reputation and increase trust. Try it today, free up to 1 TB.