Tick-Tock, the GDPR Is Coming

You’ve already been warned: the European Union’s GDPR (General Data Protection Regulation) is coming into effect May 25. In this blog, our CEO Steven Lamb, will answer a few questions from ioFABRIC customers about what’s happening, why, and what you need to do.

Q: I work for a North American company, why would this apply to me?

The main reason is jurisdiction. The GDPR “applies to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location.”

This means if you have any data at all that could personally identify an individual living in the EU, you must comply. The GDPR specifically applies to companies “offering goods or services to EU citizens (irrespective of whether payment is required).”

Let’s say you run a website devoted to the Star Wars series. If you sold your hand-painted Leia and Rey merchandise to a fan in the EU, and you’ve retained that customer’s email and physical address – congratulations, you are obligated to protect that person’s data.

If someone in London posts an epic rant on your blog about everything they hated with Luke in The Last Jedi, and you use a blog platform that saves that person’s IP address – congratulations, you are obligated to protect that person’s data.

Other examples of personally identifiable information, aside from the obvious, include photos, bank account numbers, and social networking posts.

Q: How is the GDPR different from other data privacy regulations?

Most regulations share key principles of data security, but govern a specific industry or a specific type of data – HIPAA covers the privacy of health data such as medical records, while PCI DSS covers credit card data.

GDPR is somewhat unique in covering any “directly or indirectly” identifying information, used by any organization, making it quite broad.

Like these regulations, some of which are decades old now, many of the GDPR’s basic requirements have been in place in the EU since 1995. But it’s 2018, and the way data is collected, analyzed, and used is radically different today, necessitating a change.

Facebook and Google may be the most notorious examples of collecting our data for advertisers, but the practice of deriving business insight from customer data is common in most large companies.

(As I write this, in fact, Facebook is coming under fire for a data breach that allowed the Trump campaign access to the personal information of 50 million users.)

Because the amount of data collected about us is now enormous, the efforts to protect it need to be correspondingly sweeping.

This is why the GDPR will also cover “the monitoring of behavior” within the EU, such as: tracking the website pages your London fan visits to determine if they secretly like the Star Wars prequels.

You already told me about hybrid cloud. How else does ioFABRIC ensure we’re GDPR-compliant?

Rather than “ensuring GDPR compliance,” think of ioFABRIC as an overall data protection strategy.

The most likely reasons for a data breach are cyber attacks and ransomware attacks. We already have many resources for helping protect data from these attacks, but to summarize, our immutable snapshots allow recovery from any point-in-time, on-premise or in the cloud, with no data loss.

Another way we ensure protection is when hardware fails and a copy of data is lost, the volume that lost data is marked as degraded.

If our automatic processes cannot heal the volume, or all copies of a piece of data are lost, then the volume will stop immediately to prevent applications from using or creating inconsistent data. In the case of network or other issues across multiple sites, access will be redirected or temporarily suspended to protect against data inconsistency.

If you have other questions about the GDPR, or just want to chat about Star Wars, let me know!