Data Storage & Compliance Under GDPR

Now let’s look at GDPR and how this impacts the way we store personal data.

GDPR introduces new principles for storage of personal data which needs to be at the heart of our storage solutions, namely these are “Data Protection by Design” and “Data Privacy by Default”.

What does this means for our data storage solutions?

In essence this means that any personal data we hold in the first place is kept to a minimum, we will all need to clearly articulate what data is being held, how it will be processed and for what purpose. Ask yourself, do I really need to this collect, store and process this data in the first place?

The less you hold the lower the risk of a data breach!

As a consultant, I have used a data processing register to help collate this information for my clients, enabling them to easily review and determine whether existing processes are compliant with GDPR (i.e. minimise data that is collected).

You can find my free sample template here <<Data Processing Register>>

Once we have determined that we are only collecting data that we actually need, we then need to review how we store, archive and backup data to ensure we handle that data securely and in line with the GDPR regulation.

Cloud Based Storage

Many organisations have now migrated to cloud based solutions for data storage and why not? It’s cheaper, easier to increase/decrease storage capacity levels, useful tool for disaster recovery plans, easier access to data, automated backups, to name a few. However, under GDPR organisations using cloud vendors does not let you of the hook, you still have a job to do.

What more do you have to do?

• You should know where the cloud applications are storing your company’s personal data. Do you know where your data is being hosted?

• You should know whether the apps storing personal data have adequate security controls in place to ensure your data is protected from unauthorised access. Personal and sensitive personal data needs to stay secure.

• You should have a data processing agreement in place with your provider and ensure that the cloud applications do not use personal data for any reason outside of those agreements.

We have additional responsibilities under GDPR, such as the “right to erasure” and with these come a review of your existing agreements with cloud providers. Namely;

• Data that is stored in the cloud must be in a format that facilitates easy portability and a ‘right to erasure’ (i.e. data deletion).

• Encryption of data is also a must – at rest and in-flight.

Data Security and Audit are also areas that need to be strictly monitored to ensure access is tracked and audit logs are available.

Is your cloud service provider ready for GDPR? Have they demonstrated compliance to you? They are equally as liable as you are in the event of a data breach!!

What about external hard drives, SSDs, NAS, flash drives, CD/DVD’s and other traditional storage solutions?

Many of us still use localised storage solutions yet these are all subject to GDPR compliance. The principles around data storage remain the same. So what can you do?

• Self-evaluate - review what PII you hold and process for customer/employees.

• Document - (see data processing register template).

• Analyse - do you need all that data?

• Purge - get rid of PI data that is no longer required.

• Perform Privacy Risk Assessments

• Review third party contracts

• Implement controls and processes for breach notification.

Bringing it all together

Any organisation that works with data relating to EU citizens will need to comply, that is likely to include your third party solution providers – make sure you perform your due diligence activities (the “tell me” “show me” approach works well).

Clouds will not be exempt from GDPR enforcement as both controllers and processors are liable in the event of a data breach.

If you like the template and blog - please share on LinkedIn!