How Software-Defined Storage Can Help You Get Ready for GDPR
by Jaap van Duijvenbode on April 18, 2018
On May 25, 2018, the European Union's General Data Protection Rule (GDPR) comes into force. Any organization that handles the personal data of consumers living in the European Union, even if their facilities aren't located in Europe, has to comply with GDPR. Noncompliance could be financially painful; failure to comply could result in a fine of as much as the greater of 4 percent of annual revenue or £20 million. For organizations with distributed storage environments and workforces, ensuring compliance could be complicated.
Let's start with an overview of GDPR and what it means for businesses with European customers. Then, we'll explain how software-defined storage and Talon FAST™ help organizations not only cut their data storage costs by as much as 70 percent, but also reduce their risk of GDPR noncompliance—and paying the expensive penalties that could result.
Which Organizations Are Affected by GDPR?
GDPR affects organizations that serve as both "controllers" and "processors" of personal data. A controller is an entity that determines how personal data is to be used. A processor obtains, records, or holds personal data, or performs operations upon it.
If your organization holds the data of anyone living in the European Union and/or makes a determination for how that data could be used, you are responsible for GDPR compliance. Not only that, but you're responsible for complying with any additional nation-state rules regarding data use and protection. And even though the U.K. has voted to leave the E.U., their Data Protection Bill largely mirrors the GDPR. Bottom line: if you do or plan to do business in Europe, you need to understand and comply with GDPR.
What Are the Changes?
GDPR expands individuals' rights over how their personal data is used. Individuals have the right to receive information on what data an organization keeps and how they use it. They have the right to be asked to opt-in before their data is used, instead of it being used by default. Organizations cannot use the personal data of children without consent; a parent's or guardian's consent must be obtained for children up to the age of 16. Also, if someone exercises "the right to be forgotten," which means they withdraw consent to use their personal data, organizations have to delete the individual's data upon request.
To achieve compliance, you need a map of what data you keep, how data flows throughout your organization, how it's used, and how you share it. You need to keep records of all data processing activities, and you need to provide a lawful basis for using personal data as well as clear retention policies. In addition, if someone asks you how you use their data, you need to provide that information within one month. In most cases, you can't charge for responding to their request, and you can't say "no" unless their request is unfounded or excessive—and if you do refuse, you must direct them to the appropriate supervisory authority should they wish to lodge a complaint.
Does that sound logistically challenging? Read on.
If you discover a data breach within your organization, you have to notify the Information Commissioner's Office (ICO) if the compromised data could have a negative impact on an individual's rights or freedoms. If significant damage to an individual could result (i.e., financial loss, discrimination based on protected characteristics, reputation damage, or loss of confidentiality), you may need to notify individuals directly.
When you engage in a change that can put personal data at risk—for example, if you deploy a new technology, change your profiling operations, or undertake large-scale processing of sensitive data—you must complete a Data Protection Impact Assessment (DPIA) to determine the level of risk to the individual. A finding of high risk requires you to partner with ICO to determine whether your change is GDPR-compliant. Certain organizations now need designated data protection officers (DPO) to take responsibility for compliance, particularly those that process sensitive information or process data on a large-scale basis.
Do You Know Where Your Data Lives?
Eighty percent of data in most organizations is stored locally, whether that's at a remote site or in a branch office. The bigger your organization, the tougher it becomes to control what happens at those local sites. It gets harder to guarantee the integrity of data across your organization, and it's more difficult to secure it against breaches. It's also tough to control local caching, backups, and archive histories to ensure local sites are following your retention policies.
For the sake of governance and GDPR compliance, it's much easier to centralize data in one on-premises or cloud provider's data center. However, you can run into performance issues when local sites lack sufficient bandwidth to access and share data quickly. Also, when multiple people want to collaborate on the same files, local changes happening at different offices can affect the file's integrity. You end up with duplicate and conflicting versions of the same file, which makes collaboration frustrating and inefficient.
Suppose a customer approaches your organization to exercise the right to be forgotten. You may delete the individual's data at one location, or even centrally, only to find that it's still living in an archive on a local disk that never got updated. Instead of paying 4 percent of your annual revenue or £20 million for noncompliance, you can use software-defined storage from Talon FASTTM to make GDPR compliance a lot easier.
How Talon FAST™ Helps
Talon FAST™ helps you achieve governance over data in both your central data warehouse and at your local sites. It does this by running a core instance hosted at your central data center or cloud provider in addition to edge instances at your local branches.
In the average organization, only 10 percent of data is active at any time. Operating under that assumption, Talon FAST™ uses the following methodology to ensure data consistency and to improve governance:
- The Intelligent File Cache and Virtual File Share at your local sites only process and cache active data. Over time, stale cached files are automatically purged according to the retention policies you set, and you can eliminate local backups altogether.
- Your centralized authoritative version of data, thanks to delta differencing, only changes if a user updates it. When one user is working on a file, the file is automatically locked so that no one else can make changes simultaneously, creating conflicting versions.
- The Talon FAST™ fabric gives branch users the ability to access data as though they're all working from the same office. By compressing, streaming, and reducing file sizes in transit, the Talon FAST™ fabric overcomes many performance and latency issues without requiring a significant investment in new network infrastructure.
By consolidating your storage and no longer provisioning unnecessary storage services at local sites, Talon FAST™ can help you get the same performance from your storage at as little as 30 percent of its current cost. When it comes to GDPR, your data lives in fewer places, and you no longer have to manually execute retention policies locally. You have a much simpler map of how data flows and how it's used, so you can more easily answer individual and regulator questions about your use of personal data.
In addition, by reducing your storage volume, you reduce your potential attack surface. If external bad actors compromise local networks, they find much less data in storage; if internal employees violate your policies, your risk is better contained. Talon FAST™ integrates with your current security and authentication solutions, and it easily scales as your business grows.
By simplifying data management with Talon FAST™, you'll have a much easier time achieving GDPR compliance. You'll be able to demonstrate transparency to individuals and regulators, protect against costly breaches and easily map out the impact of changes within your data environment. Learn more about how our solutions work; this Talon FAST™ video provides an easy-to-understand overview. You'll love how simple it can be to achieve GDPR compliance—all while slashing your storage costs.