General Data Protection Regulation (GDPR)

It’s 2018: the year of GDPR compliance. Despite looming reminders, it has snuck up on us in a sudden surge. The deadline for compliance has come & gone, but that doesn’t mean our jobs are done. The journey to GDPR compliance is persistent and perpetual. Here are the most important things for you to know.

Brief note: we hope you find the below information both informative and useful, but please consult your own legal counsel in regards to compliance advice for your specific situation. There’s no one-size-fits-all solution, but feel free to contact us if you’d like more information about Trilio’s capabilities to assist your organization and cloud with compliance.

What is GDPR

In 2016, EU Parliament finalized the EU General Data Protection Regulation (GDPR). This regulation brings a sweeping change to consumer data protection and privacy that applies not only to companies in the European Union, but around the world.

The essence of GDPR isn’t complicated: to help enhance EU citizens’ ability to control what data companies may hold about them. Many organizations have taken steps to become GDPR compliant and have put core processes and procedures into place to attain, maintain, and prove GDPR compliance. However, almost equally as many companies have not even started. In fact, most organizations do not yet see themselves as being fully compliant.

The reality is that GDPR increases the complexity of compliance and cloud security and demands a great deal of control over cloud resources – perhaps more than any previous regulation or government mandate. If you are running your own cloud, you need to ensure you can do everything mandated under GDPR on your own.

Download the GDPR Playbook

GDPR for Private Cloud Playbook

Companies tasked with achieving compliance for their private cloud have a weighty responsibility. This guide provides an outline for planning and maintaining GDPR compliance for your private cloud environment.

GDPR Core Components

https://www.trilio.io/wp-content/themes/salient/css/fonts/svg/basic_globe.svg
Scope

Any company holding information about EU citizens must comply, regardless of that company’s location

https://www.trilio.io/wp-content/themes/salient/css/fonts/svg/arrows_square_check.svg
Consent

In order to collect & use information about EU citizens, companies must collect incremental & explicit consent (“pre-checked” boxes are not acceptable)

https://www.trilio.io/wp-content/themes/salient/css/fonts/svg/ecommerce_euro.svg
Penalties

In the most severe cases, up to 4% of an organization’s annual revenue or €20 million (whichever is greater)

https://www.trilio.io/wp-content/themes/salient/css/fonts/svg/basic_calendar.svg
Deadline

The EU began fully enforcing GDPR on May 25, 2018

GDPR Summary of Rights

Data Subject Rights What It Means
Breach Notification
  • Breach notification is mandatory in all member states (there are caveats)
  • Notification must occur within 72 hours of first becoming aware that there was a breach
  • Companies that process data will also be required to notify their customers as soon as they are aware of the breach
Right to Access
  • EU citizens can ask companies if their personal data is being processed, where, and why
  • Companies must provide a copy of the data being collected in electronic format upon request
Right to Be Forgotten
  • EU citizens can ask companies to stop collecting/disseminating his/her personal data, ask them to erase that data, and hire a third party to prevent their data from being further processed
  • Data can be erased if it is no longer needed for its original purpose, or if consent is withdrawn
Data Portability
  • Controllers must enable EU citizens to bring a machine-readable copy of their personal data from to another company or provider
Privacy by Design
  • Companies must build data protection into their technology and operations at the outset, including via encryption and pseudoanonymization
  • Companies also must minimize the data they collect to only that necessary run their business and deliver services
Data Protection Officers
  • Companies whose core activities include data processing will need to appoint a Data Protection Officer whose sole focus is data protection
  • Those companies must also adopt regular and systematic monitoring of data subjects

The Impact of GDPR on Private Clouds

Check out our list of common challenges & tips for successful GDPR compliance in private clouds.

How GDPR Impacts Your Cloud

For businesses that are heavily reliant on a cloud-based applications and networks, some of the requirements of GDPR may be intimidating. For example, data localization stipulations require that data is kept in the country of origin, unless the destination country meets or exceeds GDPR compliance regulations. For all intents and purposes, that means any organization storing personal data in a public or private cloud must comply with GDPR, unless you are 100% certain that your database contains no data of EU citizens.

Additionally, if you’re using any cloud-based systems outside your organization’s direct control like cloud-based backup, outsourced customer support, or SaaS application providers, they are considered ‘data processors.’ If these organizations are not GDPR compliant, both that company and yours could be held accountable. Beyond that, you really want to choose good partners: if a user requests to see the data you’ve collected about them, you want to be sure the third-party vendors you’ve chosen will help you deliver on that request within a month.

GDPR and Private Clouds

For many organizations, choosing a private cloud means enjoying more flexibility, control, and security when it comes to managing business technology systems and data. It’s certainly an advantage when it comes to complying to new regulatory mandates, such as the new General Data Protection Regulation (GDPR) from the European Union: private clouds provide considerable resilience, agility and control. To be sure, this will help those organizations in their GDPR compliance efforts, but there are also sizable challenges ahead.

While a private cloud holds the advantages of security, control, and agility, managing a private cloud securely and meeting regulatory demands comes with significant challenges. You’ll face numerous obstacles in the rush to become GDPR compliant as quickly as possible, and as efficiency and cost-effectively as possible.

What are these challenges? In many ways, they are intertwined with the benefits of private clouds. When it comes to the security aspects of regulatory compliance and the cloud, it’s rather easy to make mistakes that can have severe security and compliance implications because of the agility and effortlessness to make changes in modern cloud environments. For example, a misconfigured storage cluster, loosely set permissions on a server, a rogue container, and many other simple mistakes could lead to the inadvertent release of personally identifiable information.

The reality is that, within any complex computing environment, security and regulatory compliance simply isn’t possible without putting forth the effort and ensuring the right technical safeguards and supporting processes are always in place. These include continuously applying risk assessments, managing configurations so that software is kept up to date, maintaining sensitive data encrypted in transit and storage, and most other security controls that constitute contemporary best security practices. 

While most people think of data breaches as an attacker stealing information, the GDPR definition is much broader. In addition to what is traditionally considered a data breach, GDPR also considers the accidental destruction of data as a violation of GDPR. This is because GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This means that, in addition to preventing data theft and unauthorized access, enterprises are now charged with having to be able to recover data that has been destroyed, contaminated, or altered in any way.

That’s a tall order, to be sure. To help organizations sort out this monumental task, we’ve assembled an ebook with key focus areas any organization needs to cover as they formalize their data protection rules and processes.

Catching Up: First Steps to Bringing Your Company Into Compliance

View our playbook on planning and maintaining GDPR compliance for your private cloud

How TrilioVault Helps You With GDPR Compliance

Since the GDPR regulation doesn’t just apply to production data — it applies to all information you have or once had on individuals living within the EU — your company needs to be equipped to field these types of requests. That means, when an individual request that you remove his or her data (which can be notoriously difficult), you’ll need to be able to find and purge every instance of that information from everywhere that it is stored, including test environments and backups.

Many backup companies store data in a proprietary format, forcing you to continue your license agreement in perpetuity in order to use that data and meet compliance demands. This makes data difficult to access, search, and erase.

Trilio, by contrast, embraces open standards. With TrilioVault, it’s easy for you to search, mount, and delete information from workloads where you need to. Plus, all your data is stored in a QCOW2 format, so you can access and modify your snapshots regardless of your licensing status. Here’s how:

GDPR Requirement How TrilioVault Supports
Breach Notification
  • Enables third-party antivirus software (e.g. Nessus) to scan backup data in order to identify vulnerabilities
Right to Access
  • Allows backup sets to be completely searched in order to find data associated with specific users/groups/organizations
Right to Be Forgotten
  • Allows IT Administrators and individual tenants to delete files from all backup sets
Data Portability
  • Stores data in native QCOW2 format
  • Stores complete workload (OS, app, network) so that each backup is “fully formed” and transferable
Privacy by Design
  • Is the industry’s only enterprise-grade native data protection solution for OpenStack
Data Protection Officers
  • Provides reports for the DPO

Applications often need a bit of tailoring so backup applications can aid them in achieving GDPR compliance.

To find out more about how you can do that with Trilio, please contact us.

Articles Related to GDPR Compliance