We need to talk about a very private subject: data privacy. Specifically, data privacy laws.
Data privacy laws are not particularly new: HIPAA (protecting our personal health information) turned 23 years old this year, the GLBA (protecting our financial data) turns 20, PCI DSS (covering credit card data) turns 15. FERPA, a law protecting student educational data (that “permanent record” the school always threatened would be forever marred by any misdeed) has been on the books since 1974!
But what is new is the sheer volume of information about us that exists in digital form now and the way businesses collect and use this personal data. It’s not merely companies selling our data to advertisers, something Facebook and Google are notoriously good at; the practice of analyzing and deriving insight from customer data is extremely common today.
The amount of private data collected about us—and its sensitivity—is enormous now, so the need to protect it has accordingly become more important. Let’s look at what you need to know about data privacy—and data privacy laws.
Data privacy generally refers to protecting personally identifiable information (PII) about an individual. This clearly includes their name, physical and email address, phone number, date of birth, or ID numbers, but may extend to other personal data such as an IP address, profile photo, social networking post, and more. Much more, depending on the specific data storage regulations.
Because there are strict data privacy requirements for how PII is to be collected, protected, accessed, and/or deleted.
“Data privacy regulations require that data be protected and managed differently than it has been in the past,” writes Storage Switzerland analyst George Crump. “Organizations need to prove they are protecting data, securing it, retaining it, and they need to, if a user requests it, remove all of a user’s data from their storage systems.”
Penalties can be severe. If you’re a retailer who breaches the PCI DSS, you’ll pay $5,000-$100,000 per month and likely lose your ability to process credit card transactions until you shape up. If you’re a medical facility that loses a laptop and a couple of thumb drives, thereby violating HIPAA, the fines could be in the multimillions.
You don’t have to be a large public company, or deal with highly sensitive data, to be subject to data privacy laws. If anything, the smaller your budget for data protection and security, the more you need to think about it. After all, enterprises can throw big money at making sure they’re in compliance. While the CCPA (California Consumer Privacy Act) only applies to large companies or those that earn significant profit from the sale of personal information, several other U.S. states have recently passed new data privacy legislation, and a federal law may not be far behind.
The one grabbing headlines worldwide is the European Union’s General Data Protection Regulation (GDPR), which took effect in 2018. The GDPR is somewhat unique in that it applies to any organization, anywhere in the world, in any industry, that retains or manages any PII of any EU citizen. It’s also quite broad in its definition of PII, extending it to data that can either “directly or indirectly” identify the individual. Examples of indirectly identifiable information that is commonly collected include location data, mother’s maiden name, or web browser cookies. The GDPR also addresses “monitoring behavior” within the EU, which includes tracking their internet behavior.
Often the first required step is simple: notify people if their information has been compromised. On the other hand, perhaps the most technologically challenging is the “right to be forgotten” – if a customer asks you to delete their personal data, you must do so. It’s a key provision of most data privacy laws today.
To comply with the right to be forgotten, you must be able to find, retrieve, and remove the data associated with that individual. For the most part, this is not difficult on primary storage/servers. But the data must also be removed from all backups and archives, and that is indeed difficult, if not impossible, to do from image-based backups. (For far deeper analysis, again from Mr. Crump, read “Solving the Right to Be Forgotten Problem.”)
Aparavi has full-text content search built in to find specific information wherever the data resides. We’ve also built a classification feature so you can manage specific kinds of data: tag files with PII, tag confidential files, tag files as “potential GDPR,” whatever makes sense to you. We’ve already set up the most useful categories/tags to make it easy to get started.
We believe complying with applicable data privacy laws is easier with Aparavi software. We continually develop features to manage and retain data better: storing files and increments as individual objects, classifying data based on content and metadata, easy searching and identification, policies to specify data that needs to be stored in a certain geographic location based on data type or regulatory consideration.