European Union General Data Protection Regulation 2016/679 that takes effect in May 2018 has the potential to greatly disrupt IT storage and data management operations along with other aspects of business.
Among the 99 articles in the GDPR, Article 17 may have the most impact on IT professionals.
Article 17 is the “right to erasure,” which is commonly called the “right to be forgotten.” Briefly, this means an individual can request to a data controller that all of their personal data must be erased without undue delay and with no cost to the person making the request. This means erasing all of the individual’s personal data — files, records in a database, replicated copies, backup copies and any copies that may have been moved into an archive. This right to erasure requirement is enough to make even a young IT pro consider early retirement.
The terms data controller and data processor must be understood in relation to GDPR. A data controller is “the individual or legal person who controls and is responsible for keeping and using personal information on computer or in structured manual files.” This means the IT function in a company or organization.
A data processor is the group or organization that “holds or processes personal data, but does not exercise responsibility for or control over the personal data.” This applies to a cloud where the processing is done or an IT data center where data resides. The data center can be internal or outsourced. The data controller is responsible for deleting the personal data and ensuring it has been erased, as well as executing the operations but not for the decision process. The data processor cannot hold copies of data or make them available for other uses.
A few important points to consider:
- There is no escape clause or excuse for avoiding the right to erasure process, so organizations must plan for it.
- The “without undue delay” interpretation is measured in days and not months. It certainly does not mean waiting until the technology becomes unreadable or older backup copies get overwritten.
- If personal data was sent to another organization, Article 17 requires the data controller to tell the other organization to erase the personal data.
- The requirement is more global than you may think. It applies to the personal data of individuals residing in the European Union (EU), and not where data is stored or where a company or organization is located. To do business in the EU, you must guarantee the privacy protection of individuals.
- The penalties are enormous. Even for one instance of not erasing an individual’s data, the penalty is up to 4% of annual global turnover or €20 million (currently $23.336 million in U.S. dollars). There is a tiered approach to fines, but failure to prove personal data was erased is a 2% fine or €10 million. This will force executives to be proactive with IT in ensuring they put the erasure capabilities and verification in place.
Right to erasure implications for IT
The concept of tracking down all copies of data and erasing a specific individual’s personal data seems almost impossible. Consider the simple case of personal data in a database. How many copies of that database exist and where are they? How many DBAs have made extra copies for testing and extra protection? This will be an intensive, time-consuming task. Even worse, it is not a revenue-producing function.
No specific solution exists in general usage today. Using backup catalogs is not a complete answer because other copies can be made outside of the visibility of the backup or copy data management software.
Some application vendors have put forth the practical approach of encrypting each individual’s personal data and maintaining a person-specific encryption key. Only the application software would have the visibility and knowledge of what personal data is needed to control the encryption. This would be an effective means for erasure because destroying the personal encryption key would erase all copies. This would eliminate the need to process all copies — backup, replicated, privately held and so on — for the erasure.
There are obvious problems with the approach, though. It would require application changes and create issues with data that is shared between applications or used for other purposes. But these problems are relatively minor. New processor capabilities to do encryption, such as the IBM z14 with new, high-performance encryption and Intel Skylake x86 technologies, remove the performance impacts on applications.
Encrypting data at the application level where the content is understood makes sense, but there are downstream consequences. Data manipulation processes such as compression and deduplication would be significantly impaired if not eliminated. The loss of those data reduction techniques would increase storage capacity requirements. Data reduction could still be accomplished, but would have to move up to the application prior to the encryption to have the same effect. Discovery of information about data stored would also have to go through the applications rather than trolling the data itself.
The magnitude of the problem to meet the EU GDPR regulations overall is major, and Article 17, the right to erasure, is almost overwhelming. You may find halfway approaches that only work in certain cases. But beware of these incomplete approaches. They ultimately may cost more to implement and may still result in the extreme fines when the incomplete nature is exposed. The impending date is a hard deadline — there are no stages to adoption. You need to develop a strategy now and plan your implementation.