SLAs in a GDPR World: What Are Third Parties Doing With Your Data, and What Are You Doing With Theirs?
by Andrew Mullen on April 23, 2018
The key to complying with GDPR is knowing where you data lives, how it flows through your organization, and how it transfers between parties. If you're working with a distributed storage environment, these flows can get complex, but with costly compliance penalties coming into effect with GDPR in May 2018, if you have EU customers, it's not something you can put off any longer.
Under GDPR, any data collected by controllers and used by processors requires consent from the individual. Before you collect and ask for that consent, you need to know exactly how you plan to use their data and how you will safeguard it. Starting with a privacy impact assessment (PIA) before all data collection activity is a good best practice. It's also good to add PIAs to your SLAs, both when you're procuring third-party services and when you're delivering services to clients or partners. Avoid vendors who aren't providing PIAs for you, and give yourself a competitive advantage by providing them for others.
Map Your Data Flows
The first step in a PIA is to map the ways data you collect typically flows throughout your organization. Here are some considerations:
- The fields you're collecting (name, address, etc.)
- Data category (personal, financial, criminal, health, etc.)
- Storage medium (paper documents, branch desktop computers and servers, cloud infrastructure, employee devices, data center storage networks, tapes, etc.)
- Storage handling (backup frequency and locations, disaster recovery)
- Computer data storage protections (encryption or other ways to protect identity while data is in storage)
- Data collection methods (call center recordings, social media, website cookies, post)
- Internal sharing (how changes to files occur, how files are shared)
- Network flows (between data centers, branch offices, remote sites, cloud providers, employee users, third parties, regulators, etc.)
Once you've mapped these flows, ask yourself 1) who's accountable for data security and privacy at each step and 2) who has access to the data at each step. Once you have this big picture map of what happens to data, you have enough information to assess how individuals are impacted by its use.
Also, keep in mind this is both an internal process and a customer-facing process. When you're the controller, it's your obligation to conduct the PIA. When you're in a processing role, and you can hand a controller a pre-made map of your data flows and controls, you're a lot more likely to win the contract.
Assess the Impact on Individual Privacy
Risks tend to pop out at you when you see your data flow map at a glance: access management, storage management, and mobility management—these are all things to address. One of the biggest risks to individual privacy is the practice of storing data locally, at branches, remote sites, and on employee devices.
It's tougher for you to control what happens to data once it's living on an employee's laptop. If they lose the laptop and someone picks it up, you could end up facing big fines; if they breach the individual's privacy and misuse data, that's also costly for you. The solution to that risk is to centralize data storage, only allowing employees and third parties to access the data they need to work on during a certain time, but the challenge that arises when you centralize storage is delivering great network performance.
We designed FAST™ to support your centralization strategy and eliminate performance problems as you consolidate distributed storage. The FAST™ fabric provides speedy connections for your remote users, supported by our Intelligent File Cache technology. Every branch runs a local virtual appliance, with FAST™ configured as an edge server. The only data transferred from central storage to the branch is data that your employees need to access in that moment, and the Intelligent File Cache keeps local storage light by only caching the data employees most frequently use, and routinely purging the cache according to rules you set.
With FAST™, you can completely eliminate local backups without sacrificing speed and convenience for users. By consolidating storage, you cut privacy risks, create a simplified data map, and make privacy impact a whole lot easier.
Start demanding a complete picture from processors, and write their obligations under GDPR into your SLA with them. In your own SLAs for your processing activities, provide far more transparency. GDPR compliance can be a big obligation, but being on top of it can be a huge competitive advantage. And if you'd like to solve your distributed storage problems for good, keep reading to learn more about Talon's FAST™ fabric and what it can do for you.