As a long-standing IT practitioner, the main thing I’ve learned over my time is – don’t trust computers.
I’m not the only person with this earth-shattering insight, to be fair. Veritas, Cheyenne, Seagate and many other companies have made a very valuable SKU from their backup software.
The IT professionals out there have made a virtue from backing up anything and everything to tape, disk or Cloud (or diskette, if you go back far enough). I can’t fault them/us for that. Computers screw up. The ferrous oxide on which we all relied for storage occasionally throws a wobbly and loses information; people sometimes find a file called “Do NOT Delete on Pain of DEATH.TXT” and… delete it.
Business has adopted the back-up as a means to protect the business. I have no argument with that, whatsoever. I’m not trying to pick a fight with storage vendors.
The problem is, with GDPR, that the “back up everything” mentality is no longer fit for purpose when it comes to private data.
Article 5 of the General Data Protection Regulation is specific about “Principles relating to processing of personal data” (being specific within the context of the regulation seems to be a rare commodity).
Article 5 (1)(e) states that personal data shall be:
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
Article 89 (1) states:
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
If you care to read the Regulation further, Article 89 then refers to the local derogations which can be made under Articles 15, 16, 18, 19, 20 and 21 (inclusively).
So… Unless you have a particular interest in the wording and application of the Regulation in the broadest sense, or your name is Rumpole and you work at the Old Bailey… So what?
The regulation is saying that organisations can’t keep data beyond its intended use. Under Article 5 (1)(e), if you have told a data subject that you will keep their data for one month – and you have the legal grounds to do so – you keep it for one month, end of.
End of..? Not quite. Article 89 states that if there is a public interest, statistical, scientific or research purpose behind keeping the information then you can keep the data, but it has to be on the principle of data minimisation and you need to seriously think about pseudonymising the data. A pseudonym would render my name (Mark Evans) as Citizen X, for example. All of my attributes could be used for research, as long as a concatenation of those attributes doesn’t single me out and destroy the pseudonymisation.
Pseudonymisation: Citizen X
- 45-54 years of age
- Based in the West Midlands
- Works in Data Protection and Cyber Security
- 6ft tall
- Bald, shaved head
- Speaks with a Black Country accent
- Speaks at conference
- MBA qualified
- Writes articles on GDPR on LinkedIn
As you can see, it doesn’t take long before pseudonymisation breaks down and I become more easily identified.
So? Come on – benefits of GDPR?!
Think of the money invested in storage by most organisations. Think of the “Whoah – just in case!” data stored across any business and there is a cost. In these days of Cloud backup where the cost per Gb is miniscule, guess what? There’s still a cost.
Article 4 (12) defines a ‘personal data breach’ as:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Okay, so a ‘breach of security‘ leading to loss, deletion, disclosure, or alteration is the key here. I’m sincerely hoping that you’re all already on the next page, here.
What type of data can’t be accidentally or unlawfully destroyed? Can’t be lost, altered, disclosed, transmitted, stored or otherwise processed?
Data which no longer exists. Data which has served its purpose and been disposed of. Data which has been lawfully destroyed.
As far as private data is concerned, the GDPR is mandating that companies achieve a lean, process-driven approach to the use and removal of the data.
Long-term storage in Amazon, Azure or whatever will be fractions of a penny per Gb for some organisations.
There is an old saying, “That which is given freely is rarely valued.”
Business has long held private data as freely given – who doesn’t want a special offer on saving four pence on pasta sauce from a supermarket? – and has, by erosion of respect for the data above what money it generates, allowed a situation to happen where large organisations are sitting on a mountain of data which is now an attack vector for GDPR…
- Get rid of the data which informs you of nothing
- Save on storage
- Make data searches faster (less data, faster searching)
- Make data searches on current information! Who needs to know that Citizen X bought a brand new Morris Ital in 1982 (I didn’t, but that’s data that might trip someone up, somewhere)
- Make backup and restore operations more focussed
- Be able to prove to the ICO, to senior managers and shareholders that not only are you protecting the business legally, you are looking to put a cap on the spiralling cost of storage, backup, operational overhead from backing up and restoring data
- Become a leaner operation
- Know where the data is, what it is for and when it is no longer relevant
- Remove “noise” from business decisions
- Become an expert in your own data
There may be an argument for keeping historic data for trend analyses. Fine… Get m’learned friends in to formulate the requirement within the parameters of the regulation. Get your technical people in to formulate the appropriate security. Get HR in to own the processes for dealing with any “off piste” activity from employees around the data and its usage. Get data scientists to put the data into a context where “Citizen X” doesn’t map directly to “Mark Evans”. I foresee an opportunity for universities to gather information (with appropriate permissions from data subjects where required and contractual bases for using the university as a data processor, obviously) in order to process data on behalf of organisations… Another potential cost saving.
So… What’s the benefit GDPR brings?
A mandate for lower storage cost, operation, processing, risk. More time-bound, current information. Less opportunity for data to succumb to anything in Article 4 (12).
The days of “You never know – it may come in handy?” for personal data are coming to an end.
I think people who sell storage may not be so happy, but if people are buying less storage volume, this might prompt the move to faster SSD uptake in the storage market, a potential money-spinner?
I, for one, will be professionally overjoyed to see organisations deleting data they no longer need. It will show a maturity of custodianship which is long overdue.