The European Union General Data Protection Regulation (GDPR) goes into effect in less than three months, and FreeNAS and TrueNAS storage managers at companies of all sizes need to be thinking about compliance.
On May 25th, 2018, the most comprehensive privacy law to date will go into effect and it will be years before its full ramifications are understood. The European Union General Data Protection Regulation (GDPR) aims to give EU residents unprecedented control over their personally identifiable information (PII) and companies who fail to comply with the GDPR can face fines of up to 20 million Euros or 4 percent of their global annual revenue, whichever is greater. Because the protections of the GDPR apply to EU residents, not only must companies and organizations based anywhere in the world doing business in the EU be compliant, but also their data processing vendors. Let’s take a look at the key points of the GDPR from a storage management perspective in case you are not familiar with it already.
The Data Protection Officer (DPO)
Compliance with the GDPR begins with understanding and interpreting it. Get moving if you have not done so already! Multinational companies are now spending millions of dollars on GDPR compliance in the form of new staff, procedures, and technologies. At the center of compliance activities is a Data Protection Officer which at a one-person shop is probably you. The DPO should be familiar with the GDPR and assess what their company or organization needs to do to become compliant and how it will respond to GDPR-related inquiries. The GDPR requires that organizations respond to user inquiries or announce data breaches in a timely manner. “What’s a GDPR?” is not the ideal answer to an inquiry. Take this opportunity to review exactly what your company stores and why. The GDPR is just one set of requirements among many that you must comply with. Let us help you determine what TrueNAS storage solutions can provide your storage infrastructure and make the most of enterprise features like snapshots and replication.
Patch Your Stuff
The GDPR is quite firm about the disclosure of data breaches and data exfiltration incidents that impact EU residents and mandates that organizations notify both the customer and EU authorities of any such breaches within 72 hours of discovery. Challenging as such breaches may be to identify, it is best to do everything you can technologically and procedurally to avoid them in the first place. Some of this comes down to basic security best practices with regard to system updates and only giving your employees access to the minimum data that they require to perform their jobs. TrueNAS encryption at rest is one useful tool to have in your comprehensive security toolkit in service of this requirement.
“OK Google, Delete Me”
The GDPR is also quite firm about an individual’s “right to be forgotten” and you can think of this requirement as opt-in and opt-out on steroids. If you market to users in the EU when you collect personal information, you should make it clear what they are opting into and equally clear how to opt out. A simple notice of consent on a website is no longer adequate: you will need to give users the opportunity to consciously check an empty checkbox to grant consent to store their personal data, all backed by a clear privacy policy. Take time to audit your systems for personal data that belongs to EU residents, including employees, and consider isolating it within separate systems. Also, consider deleting obsolete data and backups because every step you take to narrow your compliance surface will simplify future compliance. OpenZFS datasets can provide a great data-level mechanism of isolation because they maintain the separation of not only primary data but also their associated backup replicas.
Loyal Partners?
Finally, the GDPR distinguishes data controllers from data processors, one being the maintainers of data and the other any external handlers of it. This distinction is important because the GDPR views both parties as guilty if one of them serving the other fails to comply. If your online CRM service is found to not be in compliance with the GDPR, you are considered to be out of compliance and run the risk of facing penalties. Lessons should be learned from the Equifax data breach in which the victims of the breach never signed up for Equifax services directly.
Unchartered Territory
In principle, the European Union General Data Protection Regulation is a long-overdue celebration of rights to the consumer but in practice, compliance with the GDPR will be a challenge for businesses around the world. Only case law will determine the true interpretation of the GDPR and at this early stage, I can only help point in the right direction towards compliance. iXsystems is committed to compliance with the GDPR both as a company and by providing you robust enterprise storage solutions including TrueNAS to facilitate your compliance efforts. Hopefully, the basic terminology I have provided will help you interpret the obligations and news surrounding the GDPR as this story unfolds.
Michael Dexter, Senior Analyst
