More about Data Privacy Regulations
- GDPR Subject Access Request in 5 Steps
- Data Privacy Regulations on 4 Continents
- Healthcare Compliance and ICD-10 Codes
- POPIA Compliance: South Africa's Version of the GDPR
- Get Ready for LGPD: Brazil’s Version of the GDPR
- Data Subject Access Requests: What They Are and How to Respond to Them
- Implementing GDPR: Lessons Learned
- How Data Protection Regulations Impact Enterprise Storage Management
December 17, 2019
Topics: Cloud Data Sense Advanced9 minute read
The value of personal data is soaring. Companies routinely buy and sell it. It gives online marketers deep insights into our spending behavior, helping them to target their advertising and improve the customer experience.
But, at the same time, consumers are becoming increasingly concerned about their privacy—highlighted by recent high-profile breaches of trust such as the Cambridge Analytica scandal, in which the personal, sensitive data of millions of Facebook profiles was harvested without consent, as well as the recent hack of Capital One.
The General Data Protection Regulation (GDPR), which came into force in May last year, was one of the first new laws to respond to today’s data-oriented business landscape. With more new legislation set to follow, including the forthcoming California Consumer Privacy Act (CCPA), this post discusses the impact of data protection regulations on enterprise storage management.
In this post we’ll look at the challenges of compliance, then we’ll run through the steps that data controllers need to take in preparation for future regulatory requirements, including some ways that NetApp® Cloud Compliance.
Data Privacy Challenges
New data privacy laws, such as GDPR and CCPA, share many common features, but there are also significant differences between them. For example, they give consumers very different opt-out rights.
Whereas GDPR gives data subjects the right to prevent companies from using their personal data for marketing purposes, CCPA opt-out rights are more concerned with the sale of personal data. GDPR and CCPA are also clearly designed to protect citizens in different geographical areas—the European Economic Area (EEA) and California, respectively.
Nevertheless, both laws are still global in scope, since they apply to any organization that stores or processes data about the people in the territorial jurisdiction the laws cover. This is having a profound impact on enterprises in particular, as they typically serve a worldwide user base.
What's more, new regulations are extending the definition of personal data to include a much wider range of information, such as IP addresses and genetic, biometric, and location-based data. And they are strengthening consumers’ rights to access the data you store about them.
Faced with this complex array of compliance requirements, you should adopt a privacy-by-default approach at your enterprise to ensure you meet the privacy requirements of today and be better prepared for new ones that will arise in the future.
As these new data privacy laws have come into effect, storage has become more distributed than ever as a result of new technologies and the huge amount of data that websites and applications gather and create about consumers.
However large those data sets have become, storage owners still need to maintain visibility into and control over that data, so they can protect customer privacy and manage storage as cost-effectively as possible. This can be a significant undertaking—all the more so in a complex enterprise IT environment made up of a diverse mix of cloud and on-premises deployments.
Steps to Take to Meet Data Privacy Challenges
The following are some of the key steps you'll need to take to meet the challenges of these new privacy regulations.
1. Draw Up a Data Inventory
First draw up a data inventory across all your enterprise IT environments. Then, look into which information should be classed as personal, sensitive data. As part of your privacy-by-default process, you should adopt the broadest possible definition of personal data. For example, the CCPA defines personal data as not only that which can be reasonably linked to an individual California resident, but also to their household or device.
Therefore it makes sense to apply the wider CCPA definition to all data subjects. And, likewise, to treat all data subjects equally—regardless of where they reside in the world. This will make it simpler to comply with both existing and forthcoming data protection regulations.
If your organization sells personal data, you should be aware that the CCPA will give California residents the right to opt out of the sale of their information. You should consider this in your assessment of your data. To accommodate similar rulings in the future, your organization may look at extending the same rights to all data subjects.
Knowing what you have will also play an important role in securing personal data. And it will provide much-needed visibility into your information assets in the event of a breach, allowing you to respond far more quickly.
2. Map Your Data Flows
Next, map the flow of data through your applications. This will help you establish which parts of your business are using personal data, how you process it, where you process it and whether you can legitimately process it under privacy regulations.
For example, you may find you're transferring personally identifiable information out of the EEA. If so, you should check that such a transfer is compliant with GDPR. In the case of data transfers to the US, these must be covered by the EU-US Privacy Shield Framework.
UK independent body the Information Commissioner's Office (ICO) provides detailed guidance on GDPR restrictions that apply to international data transfers. You should also be aware of data flows in cross-region failover architectures, as they could potentially involve cross-border transfers that have to meet current or future compliance requirements.
3. Store Only the Data You Need
To comply with GDPR, you should only collect and store personal data your business actually needs. Furthermore, you should only store it for as long as you need it.
This may be dictated by statutory requirements, such as minimum time periods for keeping employee records, tax payments or work-related medical examinations.
So you'll need to set up a lifecycle policy for each data record, promptly deleting it once you no longer need to store it. Data retention schedules are not only essential to compliance, but also help keep your storage costs down.
Data deduplication, a technology that reduces your storage footprint by removing redundant copies, can also help meet your compliance obligations. Deduplication is one of the key storage efficiencies that make NetApp Cloud Volumes ONTAP crucial to reducing costs for enterprise data management.
Cloud Volumes ONTAP also offers data tiering, where infrequently used data can be offloaded to less-expensive object storage on Amazon S3 or Azure Blob storage. If the data is needed again, Cloud Volumes ONTAP automatically tiers it back up to performant disk storage.
4. Store Records of Consent
Records of consent provide the evidence you need to demonstrate compliance. However, different privacy laws specify different consent requirements.
For example, under GDPR, you must actively seek consent from consumers in order to use their email address in marketing communications. Likewise, you’ll need to do so if you export their information out the EEA to countries or territories without adequate data protection frameworks.
By contrast, under CCPA, you’ll need to maintain a record of consent for every Californian child that has given you permission to sell their data—or, in the case of minors under the age of 13, a record of consent from a parent or guardian.
Additionally, adults can proactively opt out of the sale of their personal data. Once they’ve done so, you should not invite them to opt back in for at least 12 months. So you’ll not only need to store each opt-out request but also the date the request was made. This is another case where storage efficiencies and data tiering will help reduce data storage costs a great deal.
5. Streamline Support for Right-of-Access Requests
As new privacy laws strengthen consumers’ rights to access, change or delete their personal data, you’ll need measures in place to quickly and efficiently respond to their requests. But this is no easy challenge.
Data is now distributed in ways it never has been before—across live, backup, archival and big data systems, hosted in cloud-based and on-premises environments, using different addressing systems and organized in different data formats.
This makes it difficult to determine just what information you have about a data subject. And equally difficult to quickly and efficiently access it. Right-to-be-forgotten requests may prove particularly problematic. In the case of live storage environments, good data inventory management will be essential. NetApp Cloud Manager is the single panel console that provides visibility into storage repositories across deployments whether that data is on-prem or in multiple clouds.
However, backup and archival data poses much more difficult questions to data controllers. For example, backup systems may not be cut out to handle erasure requests, as they're not generally designed for granular deletion of data. And those organizations that rely on outmoded tape storage for archiving older data will face exactly the same issue.
Confronted by these problems, storage administration teams should consider alternative solutions, such as moving archival data to low-cost cloud storage or switching to different backup software altogether. One option is to leverage NetApp Snapshot™ technology to create instant, space-efficient backup copies. Cloud WORM immutable data copies with NetApp SnapLock® is another option that NetApp users can leverage.
6. Secure and Encrypt Data
Security is a key component of all new data privacy regulations, which advocate encryption as a way to prevent exposure of personal data in the event of a breach. If you've not done so already, you should encrypt personal data where possible, ensuring full coverage across all your infrastructure.
You should also audit who has authorized access to your data. And tighten up access, where necessary, to prevent personal data falling into the wrong hands.
Stay Ahead of the Game
GDPR and CCPA are leading the way in protecting personal data in the digital age. And now many other countries and states look set to follow these groundbreaking data protection regulations.
A privacy-by-default approach to data storage will help your organization stay ahead of the game, ensuring you have the technical and operational measures in place to comply with these and more data privacy regulations to come.
The financial penalties for infringements are substantial, but, more importantly, consumers care about their data. The costs to your enterprise in terms of loss of trust and loss of business could be considerably higher. In these cases, NetApp can provide your company with technology that will help reduce those costs and make sure your data—and your customer’s data—is protected.
One new way NetApp is making this possible is with a great new resource that will help you track, map, and identify sensitive private data in your storage systems through the help of a powerful AI technology: It’s called NetApp Cloud Compliance.
Cloud Compliance is the new data mapping and reporting tool for use with Cloud volumes ONTAP, Azure NetApp Files, or natively with Amazon S3 buckets. It allows users to scan all of the data in their cloud repository to provide accurate subject data reports automatically, send you alerts about potential violations in real time, and more.
Find out more about the technology behind Cloud Compliance and how AI can automatically map private data to help you comply with privacy regulations in this free guidebook.