10 success factors in building GDPR-compliant data storage

But first, let’s start with dispelling two myths regarding the GDPR:

Myth #1: GDPR compliance is the homework of the legal or IT department only. The fact is, protecting personal data is not solely the responsibility of the legal or the IT department. Personal data can originate from or be processed by many other departments or areas in an organization. So, all areas involved in the “data processing chain” must follow the GDPR principles in their respective business processes.

Myth #2: Only companies in the European Union shall comply with the GDPR. The fact is, as soon as your organization conducts business in Europe or processes personal data of EU citizens, even if your company is not located there, you must obey the GDPR.

If you don’t follow the GDPR rules, administrative fines up to 4% of your company’s total worldwide annual turnover or 20 million EUR, whichever is higher, can be imposed. So, you should not take this easy as the penalty can threaten your business continuity. Before you address the concrete requirements of the GDPR, it is important to understand that the main objectives of this regulation are:

(1) to give EU citizens protection with regards to the processing of their personal data, and

(2) to create transparency about the movement of personal data in the EU region.

Thanks to the GDPR, now every EU citizen has the right to access information about the storage of his or her personal data. For organizations, this means first and foremost that they have to find out if they process – e.g. collect, record, store, transmit – personal data. It sounds simple, but it might turn out to be a tough task especially when you have many data sources and a large part of your data is unstructured. After you have found out that your organization indeed processes personal data, the next thing you shall do is to answer more complex questions, such as:

• Where exactly are the data stored?
• How are the data classified?
• Why are the data stored at all?
• How is the movement of the data within the company?
• How long do the data have to be stored?
• Who has what kind of access to the data?

This simplified list of questions shows that the GDPR is also aimed at optimizing business or organizational processes that handle personal data so that a unified and high standard for data protection can be established in the European Union.

Besides laying down rules relating to data storage, the GDPR also regulates data portability, so that personal data can be directly and securely transferred from one institution to another when it is required. Moreover, the GDPR also introduces "Right to be Forgotten" and 72-hour reporting deadline in case of a data breach. These new requirements present many organizations with complex challenges.

The big question is, how should we master all these new challenges?

From a technological point of view, we argue that there are 10 factors which can contribute to a company’s success in building a solid foundation for GDPR-compliant data storage.

• Long-Term Data Storage Strategy: This strategy is not easy to develop. But if you deploy an intelligent software-defined archiving solution, no matter which storage hardware you currently or will deploy, you can always protect your personal data in the storage level and migrate it when needed. This is because archiving solutions that are software based can easily integrate into nearly any IT infrastructure – unlike the proprietary solutions that lock you into certain vendors! So, it will give you enormous flexibility, even scalability as well, in storing your personal data for the long term.
• Certified Data Storage Solution: It is extremely important to use certified solutions only to store and protect your valuable personal data. So, check if your existing or future solutions have been assessed by an auditor for its compliance with the GDPR – especially with the “Privacy by Design” and “Privacy by Default” principles.
• Protected Data Integrity: You would not want to hear that the personal data in your archives are invalid, corrupt, or altered. So, make sure that your archive solution can protect your archives from silent data corruption, data manipulation, or deletion. Learn more about data integrity protection!
• Encrypted Data: Another important factor is implementing data encryption to mitigate avoidable risks, as suggested by the GDPR. AES 256 is currently the most secure encryption in the industry that meets the highest data protection standards. Does your archive solution offer AES 256?
• Multi-Client Capability: Personal data can originate from different “clients”, such as various data applications (e.g. PACS, Email, DMS) or business divisions within an organization. It is necessary to create a secure separation of archived data in different archive areas or repositories within one central archive. This “multi-client capability” of an archive solution would also enable you to build extremely large archives up to the petabyte range.
• Access Control: You have to ensure that all accesses to your archived personal data are strictly controlled and logged in the audit logs of your data archive solution. In addition, administrators shall have no access to any content. Separate access for users and administrators, so that access to personal data can be tracked easily and precisely.
• Retention Management: Retention periods vary depending on data types, industry, and regulations. So, find out which data are subject to retention and how long the data must be retained. It is imperative to assign a correct retention date to each data that is subject to retention. Modern archiving solutions can set a precise retention date to each data archived in it to protect the data from deletion. If a WORM (Write Once Read Many) technology is integrated into the solution, it can also ensure that your stored data cannot be deleted before the defined retention period expires.
• Deletion Process: As EU citizens now have the “right to be forgotten”, you must re-design your data storage processes so that it also allows deletion of archived personal data, when it is required. This can be a complex process because personal data are subject to retention. But a GDPR-compliant archiving solution can help you perform a “special deletion process” so that you can delete the archived personal data even before its defined retention period expires.
• Self-Healing Function: Data loss would be a disaster. Data migration, outdated storage hardware, or silent data corruption can be harmful to your archives. So, it is paramount to implement the right technological measures and tools to avoid this. An intelligent archiving solution shall have a “Self-Healing” function which can help you ensure the availability and integrity of your archived data. The Self-Healing feature can synchronously replicate data and store them on two storage systems, as well as constantly verify the integrity of the stored data on both systems. When the feature detects invalid or corrupt archived data, it automatically replaces this data with a valid copy from another storage system.
• Cost Efficiency: Optimizing your data storage processes so that it is in accordance with the GDPR also means creating additional (high) expenses. But there are ways to keep your data storage costs under control. One smart way is by taking a more efficient, flexible, and sustainable approach to data archiving, which is the “Software-Defined Archiving”. This approach enables you to keep and protect your data for very long terms at low costs, even to reduce your storage TCO up to 50%! This is possible because an SDA solution can directly run on your existing IT infrastructure and only the net volume of your archive will be licensed.

Here we have summarized the 10 success factors for a DSGVO-compliant data storage in an infographic.