The General Data Protection Regulation (GDPR) was adopted on April 14th in the European Union. The GDPR deals with the data privacy of EU citizens, but also applies globally:
It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. – Wikipedia
The goal of the GDPR is to protect all of the European Union citizens, which includes 28 countries in Europe, from privacy and data breaches. The measure is replaces the 1995 Data Protection Directive, but expands on its scope in a world that is increasingly more data-driven. Overall, the spirit of the GDPR is to give EU citizens control of their personal data. The law establishes new guidelines that come into effect May 25, 2018.
The biggest change from the 1995 Directive is that the policy now applies to all companies processing personal data residing in the Union, regardless of the company’s location. It will apply to all companies who process personal data, regardless of whether the processing takes place in the EU or not. There will also be severe consequences to those organizations that do not comply with the new privacy regulations. The rules apply to both controllers and processors, which includes operators in the “cloud.”
The impact to business in the United States is huge and will permanently change the way customer data is collected. The GDPR applies to all resident’s personal information, regardless of the geographical location of the business the customer is doing business with. If a company offers any services or goods to, or monitors the behavior of EU residents, it must meet the new requirements, or suffer large penalties.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. – eugdpr.org
Ensuring information is secure while your data center is “In-Production” becomes the most top of mind security concern, but what happens when that data or the asset on which it resides reaches the end of life or the data center is no longer in production and performing an infrastructure refresh? This is often the most vulnerable stage for information security within the data center, particularly when the storage assets are stored or transferred from one place to another and not erased onsite. From our perspective, the best practice for data security is to have the shortest chain of custody for data center assets that hold data.
Aware of this heightened vulnerability; GDPR requires a documented chain of custody process for both storage assets and data. A clear and precise ILM-ALM chain of custody plan is what’s required. Start today by having a vendor experienced in the field to review your current lifecycle management and security plans today.