IT Briefcase Exclusive Interview: GDPR – Are You Prepared?

With the General Data Protection Regulation (GDPR) set to take effect in May, some might still be asking themselves, am I ready? There is a lot to know regarding the new regulation and it will have a major impact on many companies. So, what exactly needs to be done to prepare and what can be expected from GDPR? Paul Speciale, Chief Product Officer at Scality takes us through the important questions we should be asking ourselves as the date approaches.

• Q. What major changes should companies expect with GDPR?

A. It was only two decades ago that nearly all enterprise data was stored in corporate managed data centers, and occasionally sent offsite to a physical archive such as at Iron Mountain for longer-term retention. Corporate IT environments now include Remote Office Branch Office (ROBO) as possible data repositories, and of course cloud services such as AWS S3, Microsoft Azure and cloud file sharing services. Much of this enterprise data encompasses information about customers, such as their contact and payment information in production systems such as databases, as well as backups and archives.

Prior to GDPR, it was the enterprise that could decide about where, when and how long to store this type of “personally identifiable data” about people. This becomes a key concept subject to scrutiny with GDPR. For example, corporations must now have the ability to identify all of their data and where it is stored and located. Moreover, there are now greater individual rights for people to decide how business will use their data, and even whether or not the data should be retained or forgotten.

There are a therefore some major changes coming from GDPR that relate directly to data management:

– Data awareness and location: corporations must start with a complete picture about what data they are storing, where is the data located, on what systems or clouds. This has implications on inventory, search, reporting and auditing of vast amounts of data and the storage systems holding that data.

– Sovereignty: GDPR also states that data must be stored and maintained within specific countries and locations of origin, and not allowed to flow to external storage locations outside of those boundaries, or even to external clouds.

– Retention and “forget” requirements: business have started to preserve key data for a longer period of time, but GDPR forces new functions for purging/deleting some personally identifiable data, unless the business can prove it is required.

• Q. Who is expected to comply with GDPR?

A. GDPR has a decidedly global domain. It doesn’t matter where the data is stored or where your company is located. If the “data subject” resides in the EU, the GDPR in general and Article 17 in particular apply. Secondly, “without undue delay” means days, not months. No excuse, justification, or defense is acceptable for non-compliance with an EU citizen’s erasure request. Every instance and copy of their data in your possession must be expunged, and quickly. Never mind that right now, most companies couldn’t track down every one of these instances — even if their corporate lives depended on it.

• Q. What can be expected should one not meet the new regulation?

A. Through GDPR, the European Union has now made data management rules uniform across all of its member nations, and also made the requirements much more stringent. For example, data breaches now have a strict reporting requirement of three days from the time they become aware of such an event. Fines are now very impactful, stating that even failure to report a breach can result in penalties of millions of Euros up to 2 percent of a corporation’s annual revenues, and a willful or negligent violation can result in a fine of 4 percent of the corporate annual revenues.

• Q. Is there a grace period once GDPR hits?

A. GDPR goes into effect in May 2018, and there is apparently no grace period for companies doing business with European citizens.

• Q. What are three ways that a company can best prepare for GDPR?

A. From a data management and storage perspective, there are a few baseline prerequisites:

– Understand where data is stored, whether on-premises or cloud, and in what locations.

– Always use encryption for data, bot at-rest and in flight. Its preferred to have user-managed encryption keys.

– Always track user access and security access, since breaches will happen make sure to keep the logs for future audits.

• Q. What are the benefits or any drawbacks you see for your customers after implementing GDPR? Will their user experience be any different?

A. Customers will see benefits of more security in several ways:

– Additional protection of their personal data, as it will force greater use of encryption and hence reduce the chance of data leaks or exposure of identifiable data
– The ability to choose whether personal data is maintained, to a greater extent than before
– Ultimately this forces business to pay more attention to data, where and how it is stored – this can only help reduce risks

• Q. In general, do you feel like your company is prepared? Has GDPR prep been a priority?

A. Scality is taking a lead in enabling solutions that can help companies manage data across multiple storage repositories and clouds. Multi-cloud data management will be a central part of the growing trend for companies to use cloud storage solutions, where “clouds” include corporate private clouds managed on-premises (and in many cases using object storage solutions such as the Scality RING as the foundation for the private cloud), plus external clouds such as AWS, Azure and Google. Scality’s Zenko is focused on providing a comprehensive multi-cloud data management solution that can help control where data is stored and can also perform searches that support GDPR requirements for data locality and sovereignty.

• Q. Should companies go beyond GDPR for extra safeguarding of information? Or is it very inclusive/extensive?

A. While GDPR is a strong step, it is best to combine these regulations with comprehensive security best practices that companies already take — for example, multiple layers of network security, firewalls, virus detection and of course for authentication and access control to storage systems.

About Paul Speciale

Paul Speciale leads Product Management for Scality, where he is responsible for defining RING functionality, solutions and roadmaps. Before Scality, he was fortunate to have been part of several exciting cloud computing and early-stage storage companies, including Appcara, where he was focused on cloud application automation solutions; Q-layer, one of the first cloud orchestration companies (the last company acquired by Sun Microsystems); and Savvis, where he led the launch of the Savvis VPDC cloud service. In the storage space, Paul was VP of Products for Amplidata focused on object storage, and Agami Systems, building scalable, high-performance NAS solutions. Paul has over 20 years of industry experience that spans both Fortune 500 companies such as IBM (twice) and Oracle, as well as venture-funded startups, and has been a speaker and panelist at many industry conferences.