GDPR – Comply or Pay High Fees

Mark Gaydos, Chief Marketing Officer, Nlyte Software

General Data Protection Regulation (GDPR) is Europe’s new data protection law that standardizes data protection across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). The new mandate replaces the 1995 EU Data Protection Directive, supersedes the 1998 UK Data Protection Act and goes into effect on May 25, 2018. Organizations that are not compliant will be fined up to 4% of their global revenue. Simply put: GDPR extends the protection of personal data and data protection rights by giving control back to EU residents.

Time is running out for data centers to comply with GDPR rules for tracking the location of the data and transport from storage device, to server to the customer. No doubt, IT personnel know that the infrastructure’s physical security is as critical as the digital management of consumer data assets. But the IT physical infrastructure is not confined to the data center’s walls. For this reason GDPR compliance extends to colocation facilities, managed service providers, hosting services, SaaS vendors, and virtually any X-aaS vendor. To mitigate risks, organizations need visibility into their vendors’ IT framework to ensure the integrity of the consumer data they are responsible for.

What are the GDPR requirements? As reported by TechCrunch:

  • Anyone involved in processing EU consumer data, including third-party entities involved in processing data to provide a particular service, can be held liable for a breach.
  • When an individual no longer wants their data to be processed by a company, the data must be deleted, “provided that there are no legitimate grounds for retaining it.”
  • Companies must appoint a data protection officerif they process sensitive data on a large scale or collect information on many consumers (small and midsize enterprises are exempt, if data processing is not their core business).
  • Companies and organizations must notify the relevant national supervisory authority of serious data breachesas soon as possible.
  • Parental consent is required for children under a certain age to use social media(a specific age within a group ranging from ages 13 to 16 will be set by individual countries).
  • There will be a single supervisory authority for data protection complaintsaimed at streamlining compliance for businesses.
  • Individuals have a right to data portabilityto enable them to more easily transfer their personal data between services.

One way to expedite GDPR compliance is using a Data Center Infrastructure Management (DCIM) software solution. DCIM allows an organization to track the location of the data within the physical IT infrastructure, so they know if and when consumer data is transported cross-borders. This DCIM-enhanced, data transport visibility is critical for understanding:

  • Secondary locations of infrastructure for safe handling and transportation of data across borders.
  • The location of critical data as it moves across all network devices — regardless of location.
  • Expedited data breaches.
  • Exact geographic sites and locations of where the data is replicated.
  • All security tools that are deployed, enabled and residing on identified devices.

Since GDPR mandates meeting specific articles, organizations can fully rely on a DCIM software solution to meet the following articles:

  • Article 45 – Transfers on the Basis of an Adequacy Decision – Visibility into the entire lifecycle tracking – with accountability and compliance visibility and reporting.
  • Article 35 – Data Protection Impact Assessment – Workflow feature captures asset and application names while the system is operating or hosting data with the ability to assign a data protection officer’s review activity within any IMAC data center process. Using asset management and asset integrity monitoring in a DCIM allows for easy tracking of data at rest and the infrastructure used for that data. Furthermore, it provides a report of all workflows with a GDPR activity — whether they are active or closed.
  • Article 58 – Investigative Powers – The asset optimization and tracking support feature provides compulsory data protection audits when an organization needs to provide reports.
  • Article 17 – Right to be Forgotten (Right to Erasure) – The Asset Management feature allows controllers to flag/track the lifecycle of assets used for storage or data subjects processing – of all personal customer data. This tracking capability extends from the point of existence (in physical computer infrastructure) through decommissioning or destruction.  This type of visibility into a complete lifecycle record of the data’s physical location is critical to meeting the mandate.
  • Articles 59, 33, 33a – Activity Reports and Data Breach Notification to Authorities – Impact assessment report provides a list of flagged assets for GDPR tracking, providing assets’ location and status. This includes such critical information as mapped business application, data last audited, rack, name, IP address among others.

May 25, 2018 is almost here! Meet the GDPR compliance deadline and avoid hefty fines, put into place a GDPR compliance plan that includes a full-suite DCIM software solution.

Bio: Mark Gaydos is Chief Marketing Officer for Nlyte Software, the leading data center infrastructure management (DCIM) solution provider for seamlessly automating data center operations and infrastructure into an enterprise’s IT ecosystem.