GDPR 2 Years Later: Insight From Druva and Infoworks

The two year anniversary of GDPR has just passed. Before May 25th, 2018, businesses were scrambling to become compliant with the new regulations in order to avoid the steep fines they could potentially incur if they weren’t careful. Experts from Druva and Infoworks provided Solutions Review with their commentary on where we stand, as well as how to continue complying with GDPR during a pandemic. To provide more context, let’s look at what some of the regulations of GDPR are, before getting into the commentary from Druva and Infoworks.

Backup and Recovery are Critical Under GDPR

In article 32, the GDPR act mandates a) the ability to restore the availability and access to personal data in a timely manner and b) a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures. That being said, it’s evident that organizations needed to have the necessary backup and disaster recovery strategies in place and test those backup solutions regularly and thoroughly.

Third-Party GDPR Compliance Regulations

Many organizations choose to outsource their backup solutions. While this is possible, it’s only a small step in achieving full GDPR compliance. Because this outsourced solution provider will be managing your data, they fall under the term, “data processor”, which in turn means they will be responsible to comply with GDPR as well.

Testing and Regular Backups

It’s absolutely critical that your backup provider tests the effectiveness of their solution on a regular basis. Before signing an agreement with a backup solution, you should consider making sure that the provider holds some Cyber Essentials Security accreditation. If backups are not already automated, it may be a good idea to increase the frequency to keep in line with your live data. Because GDPR requires that organizations have access to the most current data, frequent and regular backups are incredibly important.

Compliance Requires Awareness of the Entire Organization

If your company plans on being 100% compliant with GDPR, it can’t just be a concern for your IT and legal departments. Educating your staff should come as one of your first steps in achieving full GDPR compliance. The Information Commissioner recommends that organizations consider building a data compliance team to ensure that your organization remains compliant.

With all of that taken into account, it’s clear that a thorough backup and disaster recovery (BUDR) solution is crucial in the age of GDPR. It’s important to learn how BUDR providers have responded to this regulation, as it speaks to the amount of assistance they can provide. Below, experts from cloud data protection provider, Druva, and digital transformation company, Infoworks,  shared their thoughts on the current state of GDPR and how to best maintain compliance during these unprecedented times.

Buno Pati, CEO at Infoworks

Monday marks the second anniversary of GDPR, and it also marks the tip of the iceberg with regards to the protection and consumer control of consumer data. As a global society, we need to trust our privacy is safeguarded. Throughout 2020 and into 2021, consumer control of personal data can be expected to increase dramatically as governments and regulators drive new privacy legislation. Within a decade, these regulatory actions will likely lead to complete consumer control of personal data and opportunities for consumers to directly monetize their data or directly exchange data for goods and services. 

Stephen Manley, Chief Technologist at Druva 

The Situation

Industry experts have divergent views about data privacy during this pandemic. Some experts want to relax enforcement of data privacy regulations like GDPR and CCPA to support the economy. Organizations were not prepared for a remote workforce, and they cannot meet privacy regulations overnight. Then as companies implement contract tracing and health monitoring, they will not be prepared to manage that personal data on Day 1. Other experts argue that the chaotic environment proves we need an increased commitment to privacy. Remote workers are more susceptible to cyber-attacks, so mismanaged private data is even more vulnerable to bad actors. The threat will only grow as organizations collect more personal data. While the pandemic will pass, the compromise to personal privacy may never be undone.

The Challenge

With more of us working remotely than ever before, everything is decentralized. Instead of being secured in a data center, sensitive data is now being transmitted by messaging applications and stored on laptops. The distributed environment is more likely to violate privacy regulations than the well-structured data center, and storing data in remote locations makes it difficult and expensive to process comprehensively. The pending deluge of personal and health data just exacerbates the existing challenges. The traditional approaches to data protection, security, and privacy cannot scale to meet our new needs.

The Solution

The goal should be to meet privacy regulations, so now is the time to implement an automated data management solution. First, create a standard data management process that centralizes management while using distributed data storage because remote workers, personal IoT devices, and data residency laws make it impossible to store data in one data center. Second, leverage the cloud to connect to the various data sources in their local regions. Third, extract and enrich the metadata, so you can manage access control, search, and retrieval while storing the data as inexpensively as possible. Finally, automate the most common operations that your organization requires. You will be able to build more trust with your customers and employees because you will respond quickly and accurately to any privacy request.

Nigel Tozer, Solutions Director EMEA, Commvault 

GDPR has certainly exposed the issue of trust. Who can we trust with our data? Does every modern business want to turn us into a data product? The way cookie walls are configured and the language used in privacy policies expose the intent of the organization behind them. Being compliant with GDPR (or CCPA) doesn’t automatically make your business trustworthy, of course, but it gives us many clues to ones that are – and trust will be a critical success factor for many businesses coming out of the current situation.

Just because GDPR has been in effect for two years, doesn’t mean your organization should let up on maintaining compliance. Your business needs to be aware of the rules and regulations, and how strictly they are enforced, in order to be compliant, as GDPR fines are still in effect for organizations that don’t comply. Consider the above commentary and think about reevaluating your data protection policy in order to stay updated and remain compliant.