How you secure and manage your data isn’t just about ransomware prevention. There’s another costly implication of data mismanagement: data compliance infractions and the resulting fines levied by data protection authorities. Amazon was recently issued a record-breaking $886 million fine. The alleged data compliance infraction highlights the ever-present complexity of data privacy compliance regulations. It’s a pricey reminder that compliance can’t be overlooked, especially if you’re adopting new, data-driven technologies.
Note: This is not intended to be legal advice. I strongly suggest meeting with your compliance officer for a full understanding of your regulations, policies, and plans.
Why has compliance become so complex?
Compliance is a broad discipline. Specifically speaking of data, privacy compliance governs how organizations store, access, and use customer data. The end goal is to protect individuals’ personal information and ensure their data isn’t exploited or mishandled. While this is all good, it’s often nuanced and tricky for organizations to interpret.
Privacy compliance is more complicated than ever in large part due to digital transformation and big data analytics. The pervasiveness of technology in daily life has created a complicated relationship with personal data. For example, the ability to log in to your primary care physician’s portal to check lab results or text a provider a photo for remote diagnosis are great use cases, but they pose technical compliance challenges for providers. When more personal data is in transit, it’s more at risk of falling into the wrong hands.
As technology evolves, so does how data is used and how it must be protected. It’s challenging to adhere to policies that are continuously in flux. Also, compliance is incredibly varied between the public and private sectors, and even by industry.
As digital transformation continues, compliance will play more of an integral role in everything.
This constant global transformation is why regulatory bodies are working so hard to keep up. But their ever-evolving policies mean organizations using that data need to keep up, too.
How are infractions and fines determined?
The Luxembourg National Commission for Data Protection (CNPD) issued the €746 million fine ($887 million) after ruling that Amazon wasn’t in compliance with the GDPR. The complaint originated from a group whose goal is to “ensure [consumer] data isn’t used by big tech companies to manipulate their behavior for political or commercial purposes.”
Whether it’s within bounds or a viable infraction remains to be seen. But what is clear is that compliance regulations and policies are still setting precedents, and slip-ups are costly. Penalties for noncompliance are calculated based on 4% of an organization’s global annual revenue or €20 million, whichever is the greater.
How data is used, stored, and deleted
One of the biggest implications of an already costly ransomware attack is the compliance fines that could come from a breach. Even without ransomware—as we saw with Amazon—compliance can cost you. Recently, a German company was hit with a €14.5 million GDPR fine for a noncompliant data retention schedule.
A data retention schedule is absolutely critical to this aspect of compliance. This policy will typically outline exactly what data you can store or archive, where, why, and for how long. When it’s time to delete a particular data set, requirements will then dictate how it’s deleted or moved.
Keeping too much data for too long is one of the biggest compliance missteps companies can make. GDPR calls this an individual’s “right to be forgotten,” and it essentially means a company can’t hang on to their data when it’s no longer needed for processing.
So, how does the way your data is stored help reinforce a better compliance strategy?
The Critical Role Storage Plays in Compliance
GDPR compliance has transformed how organizations approach enterprise data management, storage, governance, and security compliance. In addition to data retention schedules and usage policies, the storage solution underneath can play an important role in compliance.
Security and storage technologies with solutions that help protect against breaches and limit exposure to data loss, reputation damage, and financial penalties are a critical part of any compliance strategy. Here’s what to look for in modern data storage, and how Pure Storage® addresses each, no matter where data is stored:
- Monitoring: Pure1® is a great tool for managing both cloud-based and on-premises products, with AIOps and mechanisms that can help organizations with GDPR compliance. The Snapshot Catalog in Pure1 provides a global view of what snapshots you have, where they reside, and whether they’re in compliance or not.
- Always-On Encryption: The high level of built-in security and encryption capability available in FlashArray™ is key to helping achieve data protection regulatory compliance. Data at rest is secured with AES-256 bit encryption. FlashArray encryption is FIPS 140-2 certified, NIST compliant, NIAP/Common Criteria validated, and PCI-DSS compliant. Kroll OnTrack, one of the industry’s leading security firms, has validated the efficacy of our data encryption and data erasure.
- Automation: Automating as many security compliance tasks as possible, while building in industry-specific compliance, can alleviate the burden of compliance.
- Archiving and Redundancy: For messaging services like TeleMessage, archival storage of users’ messages requires levels of redundancy and strict encryption measures that meet compliance standards depending on each customer, from GDPR, HIPAA and PCI DSS data loss prevention to industry-specific regulations such as FINRA, CFTC, SEC, MiFID in the financial sector.
Coupled with comprehensive organizational security measures, Pure Storage can help you to meet GDPR and other data privacy compliance requirements and regulations around the world—without adding more complexity.
Download the FlashArray Data Security and Compliance White Paper for an in-depth look at how.