GDPR – More Than Just Data Security

A person fading away between two storage hardware stacks

Posted on Wednesday, June 21, 2017

The new General Data Protection Regulation (GDPR) that controls how personal data belonging to European Union citizens is stored and used, comes into effect in 2018.

Much of the industry focus has been on rules surrounding security, loss of data, and the stiff penalties that could be levied should your corporate information stores be breached.

But because this is the most major change to personal data protection legislation in many years, there are some other factors that need to be considered. One of which is the new 'right to be forgotten'.

Leave me alone

The 'right to be forgotten' is a an extension of existing piece of legislation that allows EU citizens to request Google (and other search engines) to remove links to content that is defamatory or meets other specific criteria. The GDPR takes things a little further.

From next year, citizens can make a right to be forgotten request to any business, whether they are based in EU or not. Once received, businesses have 72 hours to locate and remove the customer’s data.

Time to improve your data discovery provisions

Clearly the right to be forgotten presents a massive challenge, particularly in the age of big data and long term/permanent off-line archives.

Businesses still have time to implement guideline on how they handle personal data as it is collected, but this will not help with managing current archives. Instead the CTO will need to begin a program of discovery to understand what they hold, and where it is stored. Unfortunately there does not yet appear to be a single solution to perform this kind of work.

Is a “best attempt” good enough?

Despite the potentially huge fines applicable under GDPR for failure to comply with right to be forgotten requests (up to 4 percent of total global revenue), we should assume that the legislation is not a money-making exercise. If true, businesses should expect leniency from EU courts if they can demonstrate that they have made their best efforts (and continue to do so) to meet the standards required.

However, this is merely conjecture – early test cases could go the other way, seeing the first offenders punished heavily. Whatever happens, the fact remains that the CTO and CIO must begin to address this second challenge of EU legislation urgently – there is very little time remaining to achieve compliance.