[Note: The author of this article is not a lawyer and this article should not be considered legal advice. Please consult a privacy specialist.]
The basic news
The GDPR covers all personal data your company stores on data subjects in the EU – whether or not your company has nexus in the EU. Personal data is defined as data that can be used to identify a person. It’s similar to the concept of personally identifiable information (PII) that we have in the US, but it is broader. PII typically includes actual identifying elements like your name, social security number, and birthday, focusing mainly on the data required to fake your identity with a lender. Personal data includes what the US calls PII, plus any data that can be used to identify you in any way, which includes things as basic as an email address, online personality (e.g. twitter handle), or even the IP address where you transmitted a message from.
A data subject is the “person” to which the personal data applies. To be subject to the GPDR, the subject must be an EU citizen residing in the EU at the time the data was created. The location of the company or its headquarters is irrelevant.
There are several aspects of the GDPR, including the requirement of companies to act responsibly in gathering and storing personal data, including making sure that they collect only data necessary to do the task at hand. For example, if you don’t need to store the data subject’s IP address, don’t store it. You must also privacy into account in all aspects of system design. The GDPR calls this Privacy by Design. Some companies will be required to appoint a data protection officer, or DPO. (In this context, data protection is more concerned about privacy than backup and recovery.)
The two requirements that data protection (i.e. backup, recovery, & archive) people are likely to be concerned with is the requirement to (upon request) supply a data subject with all their personal data, and to delete all of it if they ask you to. (You may keep some data if you can demonstrate a legitimate business need for it.) The concern here is that the GDPR covers all personal data your company has on a subject, including any data in the backup or archive systems. (More on that later.)
The good news
The general opinion about the GDPR seems to be that it was written with companies like Google and Facebook in mind – companies that store a lot of personal data on people that are not employers, partners, or customers. (Remember, unless you are advertising on Facebook, you are not its customer; you are the product. The same is true on Google unless you’re advertising on Google or using G-Suite; Gmail doesn’t count.)
As of this writing, the news about the harvest and misuse of Facebook data by Cambridge Analytica is at the top of many news feeds. This is exactly what the GDPR was written for. People that want to #deletefacebook now have a regulation that says they can tell Facebook to delete all history of their existence in Facebook, and Facebook will have to comply. Not complying will cost them even more dearly than this fiasco has already cost them.
The other good news is the following. Although the EU has been preparing for the GDPR for the last several years, a lot of companies don’t seem quite ready for it to go into effect in May. In addition, a lot of vendors aren’t sure how they’re going to help their customers comply with the GDPR. So, if you’re not ready, you’re probably not alone – especially if you live in the US. US companies seem to just now being waking up to the realization they need to comply with the GDPR.
There are also provisions in the GDPR that give some hope. One provision talks about legitimate interests for personal data. So, if you can demonstrate a legitimate reason for a given set of data, it may be exempt from some of the GDPR requirements, like discovery and deletion. For example, a law enforcement organization certainly cannot be required to present data from an ongoing investigation that might compromise said investigation, and it cannot be required to delete all personal data on a subject just because he or she says so.
There is also a provision that talks about if things are “technically possible.” The courts may allow a defense that says, “based on the products and services we use, it is not technically possible to satisfy that request at this time.”
The not-so-good news
The key phrase in the last sentence in the previous paragraph is may. There is no case law yet. No one has any idea yet how the courts are going to interpret this new regulation. What are they going to consider a legitimate reason for keeping data? Investigation records like those mentioned previously are an easy one. What about purchase history of an existing customer? What about data related to those purchases? Do you really need to store the IP address a customer was using when they made a purchase? No one knows how the courts are going to rule on this yet.
For now, this can be interpreted as “semi-good” news — if you’re not one of the types of companies that people believe are the big targets. It’s a good chance the people at Google, Facebook, and the like are having many meetings about how to comply with these requirements from the beginning. So, this “not-so-good news” should not be taken to mean that you can sit on your haunches and wait for some case law before deciding what to do. If you haven’t already done so, now is the time to start talking to your vendors about how you will comply with some of the more challenging aspects of this regulation.
There are a lot of companies advertising “GDPR compliant” products, or product that are “GDPR certified.” At this point there is no such thing as being GDPR certified. And no product is going to make you GDPR compliant. Complying with GDPR is as much about process and procedure as it is about the products you use. In fact, some would say even more so.
The scary news
One big question for data protection professionals is whether or not backups and archives are included when it says you have to delete a given data subject’s personal data. If they are included, what’s going to happen when you say to a data subject that it’s not technically possible to delete a given subject’s data out of the middle of a backup in the middle of a backup tape somewhere?
Are the courts going to interpret that as non-compliant and stick you with the huge fine of 4% of your annual revenue or 20 million Euros (whichever is greater)? If so, there will be very few companies that will compliant come May 25 because this requirement simply wasn’t built into backup software design. Backups were meant to hold onto everything by design. Asking a backup system to selectively design stuff is like asking the proverbial scorpion to ride on the back of the turtle without stinging it – it goes against its very nature.
If this is the first time you’re reading about the GDPR, you’ve got some catching up to do. The good news is there is a lot of information available on the official GDPR website. Make sure you’re familiar with everything there before you start reaching out to those who will try to sell you “GDPR compliant” products.
This article is published as part of the IDG Contributor Network. Want to Join?