If you’ve been paying even casual attention to the news, you know that companies like Facebook, Google, and (the now defunct) Cambridge Analytica have come under fire for how they handle people’s information.
Yet underneath the media firestorm, these same companies have continued to be extraordinarily profitable (well, except for Cambridge Analytica). Those profits enable them to hire the legal and other expertise they need to skirt issues around how they use customer data.
That said, certain parts of the world are a lawless “wild west” when it comes to monetizing user data.
Now there’s a new sheriff in town. The General Data Protection Regulation (GDPR) came into effect in 2018 and it may be the most effective ammunition privacy activists have ever been able to use.
GDPR at a high level
This European Union (EU) regulatory framework defines the framework using:
- the rights of “data subjects”
- responsibilities when transferring data across borders
- general provisions and principles
It’s this last item that has attracted the most attention. Before GDPR, the unspoken business practice is that it’s cheaper to pay fines than to comply with many privacy regulations.
Let’s consider one specific GDPR provision: the right to be forgotten or right of erasure.
Companies use data infrastructure in order to NOT forget data. Now they’re being told that when asked to do so, they must.
Also known as the right to erasure (which sounds like it came from some Orwellian science-fiction movie), the right to be forgotten boils down to this: when any individual asks an organization to remove all of their personally identifiable information (PII) from their data systems, that organization has 30 days to do so, document it, and inform the requestor that the “erasure” has been completed.
Compliance is still expensive, if it’s even possible
Meanwhile, companies continue to create and store more data (both structured and unstructured) than ever. The ways in which they have historically managed this data makes it difficult to simply erase. They need to perform this erasure:
- across various systems
- for structured and unstructured data
- in image-based backups, the most common backup in use today
The first two criteria may prove doable, if time-consuming.
The third – erasing data in image-based backups – is impossible when using today’s technologies. These technologies cannot delete PII from a master backup and propagate that deletion to all other backups without corrupting them. At least, until now (read on to find out how).
Is non-compliance still an option?
Would it be less expensive to not meet right-to-be-forgotten requests and pay whatever penalties the EU might levy? Only if you can afford:
- fines totaling up to four percent of annual worldwide revenue (or €20 million if that’s the greater amount, according to Article 83)
- being grouped by business media in the same category of big-name privacy “scofflaws” (ideally not Cambridge Analytica, but you never know)
That’s four percent off the top and lasting brand damage (or worse) to your company. What would it be worth to your company to avoid consequences like this?
But I don’t operate in Europe, so I’m OK!
Not really. Other jurisdictions are looking at the EU’s example, to say nothing of the places that have already enacted privacy legislation. Beyond GDPR, consider Singapore’s Personal Data Protection Act (PDPA) and the California Consumer Protection Act (CCPA). Many others are being developed. Wherever you do business, you may as well treat every client like an EU data subject.
(What’s a data subject? The definition is nuanced.)
You could apply these measures to a subset of personal data subjects (aka people). But as more of them acquire regulatory protections like those of GDPR, you may find that this strategy starts to resemble an ongoing (and expensive) game of privacy law whack-a-mole.
How do I comply?
Compliance comes down to implementing infrastructure that enables you to create image-based backups – in other words, continue with business as usual – while also making compliance a straightforward process.
ioFABRIC: designed with compliance in mind
ioFABRIC works with existing backup software—we’ve made it easy to implement. ioFABRIC indexes all files and metadata so that it knows what’s in all image-based backups.
Search of PII data, and the resulting erasures, are propagated across all backups and completed without corrupting the backups. Then ioFABRIC puts its activities into reports that you can use as proof of compliance.
Look out for our post on responding to right of access requests. The compliance challenge is different, but you’ll recognize the solution. And if you have any questions about this post, let us know. We’ll be happy to give you the answers.