Our CEO, David Trossell speaks to IT Pro Portal about the impact of GDPR regulation on data storage.

April 19, 2018

GDPR: move that data securely

Data must be encrypted and backed up properly in multiple locations to ensure its security.

The European Union’s General Data Protection Regulations (GDPR) come into force on 25th May 2018. Issues such as data privacy pose concerns following the allegations that social media giant Facebook allowed British firm Cambridge Analytica to harvest the data from many of its 87 million subscribers. This raises questions about how social media companies, whose platforms are based on data-sharing and on using subscriber data to enable advertisers to target them, can comply with GDPR.

The New York Times writes on 11th April 2018, following Facebook founder Mark Zuckerberg’s congressional testimony: “Mr. Zuckerberg made a promise. He said that Facebook planned to give users worldwide the same privacy controls required by a tough new data protection law that will take effect in the European Union next month.” The case adds questions about how personal data should be protected, and how permission to use it or sell it to a third-party should be done with complete transparency – and GDPR could be the model that social media needs going forward.

Regulatory violation

Yet, European Union regulators and privacy advocates have said that “a number of Facebook’s current practices seemed to violate the new law, called the General Data Protection Regulation.” This is because GDRP requires privacy by design and default. The New York Times, therefore, comments: “European experts said that, in their view, this would require Facebook to turn off a number of advertising and privacy settings which are currently set to sharing and instead ask for user permission to turn them on.”

It is interesting that at present, Facebook is only going to implement GDPR for its European customers, whilst ignoring the USA and other countries, citizens will still be exposed to the current situation.

Nevertheless, the New York Times explains that representative Greg Walden, a Republican and chair of the Energy and Commerce Committee, kicked off day 2 of the hearing by declaring that “while Facebook has certainly grown, I worry it has not matured.” Zuckerberg later accorded that regulation was now inevitable, but he emphasises that it has to be the right kind of regulation because it could hurt start-ups, while solidifying the power of large global corporations such as Facebook. The idea of creating a digital consumer protection agency was also posed, and Zuckerberg agreed that such a proposal “deserves a lot of consideration”; but he underlined that “the details on this really matter.”

Big wake-up call

This disclosure is a big wake-up call for many people that have had their head buried in the sand regarding their personal data and how it’s used. With the rush to embrace social media, many of them have forgone their privacy, and now comes the realisation that they are being tracked, sold to and manipulated by a whole swathe of organisations. Added to that, many organisations have got very rich by selling their users’ details to other organisations.

This really does mean that if you’re not paying for it, then you truly are the product.  So, will GDPR change all this? Many people think so, but not as much as some presume. Yes, it will safeguard and protect your data, but you may have to agree to the terms of how they want to use your data to still use their service. Will this create a new order where application developers can no longer rely on the unfettered use of user data as the primary or secondary source of their revenue? Possibly; possibly not.

However, will we start to realise that social media is the new way to influence opinions and elections in the way in which the press used to be? Have they swapped places, where the press is now the moderating influence on social media? Are European Union citizens and other Europeans residing beyond the EU’s borders within Europe, expecting with the implementation of GDPR that things will change all this? We’ll have to wait to see, but there could be some red herrings on the way – issues relating to GDPR that nobody predicted.

So, it is highly likely that we will see a massive over-swing as everyone scrambles to ensure compliance, but like many of the other EU directives I think it will settle down once experience is gained. In the meantime, however, there are many articles out there claiming that the GDPR deadline is a red herring, that the right to receive an explanation about how an individual’s personal data is being used is a red herring, and that even consent is one, too.

DBS Data’s blog says: “All the 2018 date really means is that a company could be singled out if they fail to comply, even if they have not received any complaints. But let’s be realistic, are companies really going to be flagged for investigation if they have not been complained about?  The 2018 enforcement date is a misnomer and organisations dragging their heels need to pick up the pace and focus.”

Lawyer, Richard James, writes on LinkedIn: “Although most are becoming aware of GDPR, there is certainly some confusion around its implications – we’ve heard everything from, ‘we won’t be able to do any more marketing’ to ‘if someone gives me a business card, does that mean I can’t send them an e-mail?’”

He adds: “There are, of course, other questions around the security of your IT, how you would notify a data breach and whether you have a process in place to respond to a subject access request from someone whose data you hold; we are working with clients to address all of these areas, supporting their future planning and importantly helping them to demonstrate their compliance, a specific requirement of GDPR.”

Costly breaches

Following the scandal, newspapers state that Facebook may file a lawsuit against Cambridge Analytica. Rob Price writes in his 11th April 2018 article: “Zuckerberg also suggested Facebook could take legal action against Cambridge Analytica if it did not fully comply with its investigation. “If we are not able to do an audit to our satisfaction, we are going to take legal action to enable us to do that,” he said.” Yet, a data misuse case such as this could lead Facebook itself being fined.

GDPR Associates writes on its website: “Article 83 of the General Data Protection Regulation provides details of the administrative fines. There are two tiers of fines. The first is up to €10 million or 2% of annual global turnover of the previous year, whichever is higher. The second is up to €20 million or 4% of annual turnover of the previous year, whichever is higher. Generally speaking, breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher level fine.”

Fines could also be levied following a cyber-attack that leads to the harvesting of data, such as the one ride-hailing company Uber suffered. “Dara Khosrowshahi, the chief executive, announced that in 2016 the company experienced a massive data breach, resulting in the theft of information about 57m users and drivers worldwide.”, writes Julia Apostle in the Financial Times on 27th November 2017.

Cyber-security

So, the threat of data theft adds complexity. Personal data must be protected from privacy beaches, cyber-security attacks and misuse. Beyond giving individual’s access and control over their data and data privacy, it’s crucial that organisations can protect data from cyber-attacks by being able to move data securely from one datacentre to another; and if disaster strikes they also need to be able to recover that data fast. Yet traditional methods of back-up and restore, such as with WAN optimisation, can’t transmit and receive data securely while that data is in transit. This all needs to be done while ensuring that compliance to GDPR is maintained, and that includes the fast retrieval of data after a subject access request (SAR) has been made by an individual or group of individuals.

There is no problem moving data between datacentres and/or clouds, so long as there are policies in place for employees of what can be shared. This depends on the company’s privacy policy. However, if the data is encrypted before transmitting it and before it hits the outside world, then it should be safe.  If there is a considerably large amount of data traversing external networks then again, depending on the requirements for speed, then WAN data accelerators may be required.

Data acceleration

So, in the normal world of commerce, businesses still have work to do within this new framework of GDPR. They must get to grips with it. Such is the concern with possible breaches and their penalties that some organisations are not only insisting that data is encrypted at rest, but also as it traverses the internal local area network (LAN). Whilst this doesn’t present a problem within the datacentre, it becomes an issue when we start to move data across the wide area network (WAN).

The performance of moving any data over long distances comes under the mercy of latency and packet loss. These two factors cripple the performance with some users experiencing less than 20% of the possible performance and low latencies. Traditionally, organisations have used WAN Optimisation to improve performance over long distances. However, WAN optimisers, including those employed in SD-WAN, because of the compression and dedupe techniques they employ, have no positive effect on the performance of moving encrypted data across the WAN.

Due to the large amount of data that is part of today’s solutions, this can hinder companies that have to comply with GDPR by creating a back-up and a disaster recovery (DR) solution using the cloud (in the form of BaaS and DRaaS). So, due to their poor performance across the WAN and the knock-on effects, this can lead to extended recovery point objectives (RPO) and recovery time objectives (RTO).

Many organisations that employ the cloud and transfer sensitive data or data between data centres are worried about having encryption keys outside of the main compute environment. They needn’t worry, though. There is a solution because the most effective and secure method of complying with GDPR when transferring sensitive data across the WAN is to encrypt it before it hits the interface between the WAN and the LAN. That way, the keys can be held in a secure location, rather than in network devices that use IPSEC, such as gateways or WAN Optimisation devices.

By employing WAN Data Acceleration techniques, which take a different approach to acceleration data across the WAN, such as AI controlled parallelisation technique, such as those employed in Bridgeworks PORTrockIT products, organisations can at last have their cake and eat it, so to speak. Since WAN Acceleration does not employ compression or dedupe techniques, it is totally agnostic to the type of data it transfers across the WAN and is one of the very few that can accelerate encrypted data without performance penalties. This allows those organisations that wish to exploit the flexibility and cost savings that the cloud can bring with BaaS and DRaaS, without compromising on the security of RPO and RTO requirements.

Tape challenges

As tape is still used, and not just transmitted via a WAN, how can data be retrieved fast? Nigel Lambert, a colleague of mine at Bridgeworks, says, “The short answer is that we can make a tape operate at near LAN speeds for backup and recovery over any distance, and with variable networks conditions to handle latency and packet loss variations.  This makes it possible to deliver deterministic and consistent back-up and recovery times.  To these comments, I add two thoughts:

1. Tape is as viable a media as a disk for cloud operations (with Bridgeworks designed into those cloud operations).
2. A single global tape facility can be a reality with Bridgeworks, negating the need for a silo approach to tape back-up.”

Jim McGann, Vice President of Marketing and Business Development at Index Engines, adds: “Tape has caught on with respect to speed, and tape is low cost media.  However, for those organisations that have privacy regulations, like the GDPR, tape can be a challenge.  If tape remains in the library the data can be managed.  However, the challenge we see occurs more when tape is transported offsite, than managing data when a right- to-be-forgotten request is initiated, is complex.”

Top tips: moving data securely

To conclude I’d like to offer a few tips on how to move data fast and securely, as well as in a way that would enable GDRP compliance. My first tip is that encryption is the key – literally! My second tip is that you should encrypt the data as soon as possible, and by doing so you should also avoid leaving any key as the datacentre. My fourth tip is: If using the cloud for back-up, disaster recovery or archiving, then think about the impact that latency and packet loss will have on performance.

My fifth one, is to ensure that you don’t get caught out with only having data in one place for safe keeping, sometimes losing data is as bad as disclosing it – keep a third copy as far away from the data centre as possible.  My last tip – the sixth one – is to learn from Facebook’s and Uber’s mistakes by protecting personal data and by being transparent about how you intend to use it.