Under the EU's new General Data Protection Regulation, enterprises around the world must not only keep personal...
data private, but they will also be required to "forget" any personal data related to an individual on request -- and the GDPR right to be forgotten will be a significant part of compliance with the new rule.
When enforcement of the new regulation begins on May 25, 2018, any person located in the European Union -- anyone residing in the EU, not just EU citizens -- can request their personal information be removed from corporate databases in a timely fashion, or know the reason why it can't.
Gary Watson, vice president of technical engagement at Nexsan, the on-premises storage vendor based in Campbell, Calif., spoke with SearchSecurity to explain some of the ins and outs of complying with the GDPR right to be forgotten rules.
"Keeping data longer than the mandatory retention period becomes a liability," Watson told SearchSecurity. "You want to keep data as long as you're required to -- and not a day longer, because it usually becomes a liability to hang onto people's data beyond when you need to have it, for any number of reasons. If you have a breach, it increases the number of people you've got to pay for compromising their data. If you have 50,000 active customers and 100,000 inactive customers, it's a lot easier to compensate 50,000 people than 150,000 people if something does go wrong."
Being able to delete customer data on demand is a key part of the GDPR right to be forgotten, but not the only part. The primary objective of GDPR is to keep personally identifiable information private, and to do that it is necessary to do all the homework first, according to Watson.
"GDPR requires you to make sure your systems are available, recoverable, high availability and high integrity. They want you to look at 'the state of the art of confidentiality, integrity, availability and rapid restore.' You're supposed to have looked at all that stuff, as part of GDPR. It's not a separate requirement," Watson said. "The privacy thing does not relieve you from the requirement to make the system reliable. If somebody asks for a copy of their private data, it's not going to be OK to say, 'Oh, gee we're sorry, that system crashed last week, we lost your data, sorry about that,' because they're allowed not only to tell you to forget their data, they're allowed to demand a copy of their data -- and you had better provide it when they ask for it."
What's a CISO to do?
While it's not clear how strictly the EU will be enforcing the GDPR right to be forgotten rule, Watson said, to avoid possible fines, it will be necessary to destroy all copies of data related to a person. Data must be scoured not just from the main databases but also from all backups, and it must be deleted completely. "There are some technical solutions you need to think about to make sure that when you dispose of something it's really actually gone."
CISOs need to "understand where personally identifiable information is stored and processed in their organization. If it's copied into PowerPoints and Word documents and things like that, they've got to understand that and they've got to know how to find that data once the time comes," Watson said. "It'll behoove a company to take a really good hard look at that, and not be careless about hardening the archives and making sure people don't throw away backup copies when they're not supposed to."
Gary Watsonvice president of technical engagement, Nexsan
Mobile applications also present a challenge. With a mobile workforce, "there's a huge problem." For example, an insurance company with adjusters who take pictures of a damaged house or car, "that's personal information," Watson said. "They're taking a picture on their phone, they store it on their laptop, God knows how many copies of it are where. What are you doing to control that data when the guy says, 'delete my files'? What are you doing, and how can you prove that you did it?"
Automation will also likely play an important role in complying with the GDPR right to be forgotten, according to Watson. "A lot of this needs to be automated because it's not OK to have people randomly looking through the data, so you really need to have a system that's designed to take care of the data automatically as opposed to relying on a person because that would be a privacy issue."
Companies also need to be able to respond promptly to requests to review personal data, as well as requests from customers to be forgotten, Watson said. "They have to be able to search and find and return all of the data associated with a particular person to them rapidly, so if somebody says, 'give me my files,' you have to be able to find them fast and deliver them fast, and I don't think a lot of errors are tolerated in that."
Working with backups and third-party providers on GDPR
Watson pointed out that the right to be forgotten is not necessarily absolute, and in some cases a company may want -- or need -- to retain data, such as when it relates to a loan that is still outstanding, so CISOs should have a process in place to identify those cases.
When a person requests their data be deleted, Watson said companies should have "a very high-confidence mechanism -- and a traceable mechanism -- for making sure you destroy their data in such a way it's exceedingly unlikely to pop back up accidently at some time in the future. So, in other words, don't leave it on backup tapes; if you ever restore from backup tapes and the data is on there, you're in trouble. You've got to have a process for that."
Using third-party IT providers, whether for cloud services or for other reasons, raises further compliance issues for the GDPR right to be forgotten.
"If you use third parties for any of this, you've got to make sure you understand what they're doing, because you're kind of jointly liable for all of it," Watson said. "Even if you are the third party, you could get into serious trouble if people are storing this data on your systems and you don't understand your role in this."
"Since storage has become cheap, there's a trend to store everything, forever, because it's easier and cheaper to do than culling the data which we used to have to do when storage was expensive," Watson said. "Now, that's flipping on its head, you've got to go back and say 'regardless of how cheap this storage is, we've got to make sure we're not inadvertently storing stuff longer than we're supposed to.'"
What else to worry about? In light of Brexit, GDPR compliance can become even more complicated, Watson said. For companies with presence in both the U.K. and the U.S., the U.S. subsidiary needs to be careful about how it handles any data that may refer to U.K. customers, "because they'll go after our U.K. subsidiary if we make a mistake in the U.S."
"It's a global responsibility, and all of your divisions around the world have to comply with the EU requirements, or they'll take it out on any EU business you do."
What else should a CISO be aware of? Watson said, "If you're not using encryption you've got to get that done. Encrypt the data; encrypt data in transit and at rest; be extremely careful about key management -- they really want you to keep the keys separate from the data."
"It seems like they want to make it so part of the keying process is related to the individual customer, like your salting the encryption key with the customer ID number or something."
"GDPR is like a lot of EU regulations: It's an enormous, nebulous responsibility with huge penalties -- and it's going to be really challenging," Watson said. "People have IT that's evolved over a decade that may or may not have those themes built into it, and it takes a long time to migrate and change data. I assume the EU will be forgiving about people who are making a reasonable best effort process, but that's yet another thing for the CISO to worry about."
Read about the EU GDPR and how the new law affects your organization
Learn about the 10 key facts businesses need to know about GDPR
Find out about how GDPR will affect Microsoft's cloud services