The Big Picture: D-Day for GDPR has come and gone and now the fun begins. What does GDPR mean now for the data protection and data storage infrastructure and architecture? Check out this brief video w. Christophe Bertrand, Sr. Analyst at Enterprise Strategy Group to find out.
Transcript:
- Hi. Dave Littman with Truth in IT. I am joined today by Christophe Bertrand. Christophe is Senior Analyst with Enterprise Strategy Group. Christophe, welcome.
- Hello, Dave. Happy to be here.
- All right. Great to have you in a bit of a different capacity than the last time we spoke. So welcome to the show. And today we're talking about getting to the bigger truth on GDPR.
- Yes, we are. Absolutely. So, come one, tell me what questions do you have for me?
- I have a couple. Right. So I have a couple about GDPR in general, and then as it relates to data protection. So May 25th has come and gone. That was D-Day. What does it mean, now, that that date has passed?
- Well, the fun is only starting First of all, GDPR, is the general data protection rule, is, by definition something that applies globally unless you only have business in the US or in a specific country that's not in the European Union. So what you've seen recently is a lot of emails in your inbox from social media platforms or e-commerce platforms, saying, hey, we're updating our privacy rules and we're asking you to agree to this again, etc., etc. And that's been triggered by GDPR, because a lot of these platforms are global, do business in Europe. And, as a matter of fact, a lot of people think it's not bad at all what is happening with GDPR. These are great privacy rules and maybe something we could use everywhere.
- Okay. Okay. Great. So we know the penalties are stiff, right, for folks who do not comply. When it comes to data protection, though, and storage, there are some unique caveats and things that I think would be important for our audience to know about. One of the questions I had was, we know that one of the tenets of GDPR is that if someone requests the deletion of their data, you must give them the facility to do that. But what does that mean in terms of backup? Because there may be copies of that person's PII, whether it's in backup or archive.
- Very good question. So, yeah, the right to be forgotten is what you're mentioning. And by the way, you have the right to also amend data about you, and a number of other rights. And it starts with the right, just to know what people know about you. So there's a whole sort of spectrum here. So, yeah, it's a good question. What about all that data that may not be in production databases anymore and is in backups? And by the way, the regulation, also, is asking to back up and protect the data, at the same time as it is asking, in certain circumstances, to forget the data. So you have a bit of a contradiction. I think the answer is, first of all, a lot of organizations don't really have that data classified in a way that allows them to be compliant. That's the first big rock, in my opinion. The ability to really know what constitutes this PII, or personally identifiable information, personal data about you. And there are some variations here around the theme. Where does it live? And, then, what are we doing with it in terms of managing it, so that you can be compliant? So, in essence, I think the challenge will be, hey, look, if it's in backups, it's probably going to very impractical to go back and forget someone when a backup is supposed to be a point in time. It's supposed to be history. It's supposed to be something that may actually be in compliance with other regulations that ask you to keep data for a long time. What I think matters is that if you have been qualified to be forgotten, and, again, there are a number of circumstances for that to happen depending on the circumstances, you will, then, want to make sure as the data controller or the data processor, that you never recover that information. But if you do, you make it so that it is not usable. Maybe it's been masked. Maybe it's deleted again. So that's gonna create a number of additional processes and tools that will be needed in order to guarantee that the data cannot be used if it's supposed to have been forgotten. And that's kind of the net net. We'll see where it lands. It's early on. You mentioned penalties. I wanna believe that this regulation is really about not trying to penalize organizations, but really trying to help them get to a higher level of data privacy with their customers or users. So, in that context, I'm hoping it will be more of a collaboration and a best practice type of approach, rather than a big stick. But for things to happen, you need the stick and you need the carrots. So I think we have both in GDPR. And it's a good thing. GDPR will help make good changes happen.
- Well, and there's, I'm guessing, a lot of complexities to GDPR, as it relates to data protection, and data storage, and IT's role in that. And we'd love to have you back and help us get closer to the bigger truth on GDPR. All right, we've been speaking to Christophe Bertrand with Enterprise Strategy Group. Christophe, come back again. Talk to us more about GDPR. And love to have you back.
- Will do. Thank you, Dave. See you next time.
- All right. Thank you. Thanks for watching. Okay.
- That was good.
- That was.