Compliance for SMBs from a storage perspective
The European Union’s General Data Protection Regulation (GDPR) intends to strengthen and unify data protection for all individuals within the European Union.
It also addresses the export of personal data outside the EU. Those organisations outside of the European Union but holding data on EU citizens are subject to GDPR.
Its primary aim is to give control back to citizens and residents over their personal data and to simplify the
regulatory environment for international business by unifying the regulation within the EU.
GDPR contains mainly information about how personal data should be processed and defines the role of a processor and a controller of data. It also includes information on how to work with data protection by design and data privacy by default.
GDPR will come into effect on 25 May, 2018.
Small and middle-sized businesses (SMBs) that hold data on EU citizens have responsibility for the protection of the data they store.
This data needs to be stored systematically and protected from theft and misuse.
SMBs also need to be able to meet GDPR data subject’s rights which are as follows:
Data retention is also an important factor. Some types of data need to be deleted after a certain time has expired, for example personal data collected in connection to a product purchase and associated warranty.
In addition, there are other types of data that needs to be stored for a minimum amount of time, such as certain financial data.
In practise, this means that SMB’s need to know where personal data is stored and be able to respond to data requests in a timely manner.
Those organisations that don’t comply with GDPR run serious risks, in the event of a major systems breach, such as hackers stealing the contents of a customer database.
Financial penalties can reach an upper limit of €20 million or 4% of annual turnover, whichever is greater.
Most large organisations are doing all they can to meet GDPR requirements. They are cognisant of the implications if their data is breached.
However some smaller and medium-sized organisations are adopting a ‘wait and see’ approach.
They believe that GDPR mainly addresses and affects big corporations that collect and deal with huge amounts of personal data, such as social networks, cloud providers or search engines.
Many of these organisations are waiting to see what happens when a peer company falls foul of the legislation.
This approach is potentially damaging given that the threat of insolvency or even closure as a result of GDPR penalties is very real.
GDPR applies to all companies; no matter how big they are or how much their turnover.
Under the GDPR mandate companies have to ensure they approach data protection by ‘design and default’.
At a high level it means that companies must secure their systems and processes to ensure data does not leak out or is easily hacked.
It requires that data protection is designed into the development of business processes for products and services.
This requires that privacy settings must be set at a high level by default, and that technical and procedural measures throughout the entire data processing lifecycle complies with the regulation.
Additionally, organisations need to implement mechanisms to ensure that personal data is only processed when necessary for each specific purpose.
Furthermore there are several other additional measures that are equally important:
(TS3000/3010 & TS5000/5010, sold separately)
Backup, replication, failover and encryption
GDPR data protection in practise
Data protection by design and default might directly impact your data storage solution.
The requirements mean you need data storage that is both easy to access and manage and also has privacy and protection designed into its foundation.
If personal data is stored in-house on a server, network attached storage (NAS) or other devices, to ensure GDPR compliance the following features should be incorporated into the storage device:
There are some fundamental storage security steps that SMBs need to take to ensure they meet GDPR mandates for protecting personal data.
Buffalo TeraStation™, the securest NAS and fully GDPR compliant
Buffalo TeraStation™ NAS, specifically designed for SMBs, provides the following features, all of which ensure full GDPR compliance.
There are several Buffalo TeraStation™ models available, each one designed to meet the specific needs of different sized organisations.
Central to successful GDPR compliance for SMBs is the need for a company gatekeeper who takes responsibility for managing and protecting customer data. Nominating an ‘individual’ as compliance gatekeeper ensures a consistent focus.
The gatekeeper can identify compliance gaps, map out needs and introduce and monitor management processes that dovetail with requirements. In short, they become the GDPR compliance ‘expert’ and the fulcrum for successful compliance.
GDPR refers to data controllers, data processors and data subjects.
Many SMBs will likely be both data controllers and data processors.
Personal data is defined as any information related to a EU citizen that can be used to directly or indirectly identify the person.
This can include anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information and even a computer IP address.