How you secure and manage your data isn’t just about ransomware prevention. There’s another costly implication of data mismanagement: data compliance infractions and the resulting fines levied by data protection authorities.
Amazon was recently issued a record-breaking $886 million fine. The alleged data compliance infraction highlights the ever-present complexity of compliance regulations. It’s a pricey reminder that compliance can’t be overlooked, especially if you’re adopting new, data-driven technologies.
Note: This is not intended to be legal advice. I strongly suggest meeting with your compliance officer for a full understanding of your regulations, policies, and plans.
Why has data compliance become so complex?
Compliance is a broad discipline. Specifically speaking of data, privacy compliance governs how organizations store, access, and use customer data. The end goal is to protect individuals’ personal information and ensure their data isn’t exploited or mishandled. While this is all good, it’s often nuanced and tricky for organizations to interpret.
Privacy compliance is more complicated than ever in large part due to digital transformation and big data analytics. The pervasiveness of technology in daily life has created a complicated relationship with personal data. For example, the ability to log in to your primary care physician’s portal to check lab results or text a provider a photo for remote diagnosis are great use cases, but they pose technical compliance challenges for providers. When more personal data is in transit, it’s more at risk of falling into the wrong hands.
As technology evolves, so does how data is used and how it must be protected. It’s challenging to adhere to policies that are continuously in flux. Also, compliance is incredibly varied between the public and private sectors, and even by industry.
As digital transformation continues, compliance will play more of an integral role in everything.
This constant global transformation is why regulatory bodies are working so hard to keep up. But their ever-evolving policies mean organizations using that data need to keep up, too.
How are data compliance infractions and fines determined?
The Luxembourg National Commission for Data Protection (CNPD) issued the €746 million fine ($887 million) after ruling that Amazon wasn’t in compliance with the GDPR. The complaint originated from a group whose goal is to “ensure [consumer] data isn’t used by big tech companies to manipulate their behavior for political or commercial purposes.”
Whether it’s within bounds or a viable infraction remains to be seen. But what is clear is that compliance regulations and policies are still setting precedents, and slip-ups are costly. Penalties for noncompliance are calculated based on 4% of an organization’s global annual revenue or €20 million, whichever is the greater.
Compliance doesn’t just regulate how data is used—it regulates how it’s stored and deleted
One of the biggest implications of an already costly ransomware attack is the compliance fines that could come from a breach. Even without ransomware—as we saw with Amazon—compliance can cost you. Recently, a German company was hit with a €14.5 million GDPR fine for a noncompliant data retention schedule.
A data retention schedule is absolutely critical to this aspect of compliance. This policy will typically outline exactly what data you can store or archive, where, why, and for how long. When it’s time to delete a particular data set, requirements will then dictate how it’s deleted or moved.
Keeping too much data for too long is one of the biggest compliance missteps companies can make. GDPR calls this an individual’s “right to be forgotten,” and it essentially means a company can’t hang on to their data when it’s no longer needed for processing. A new report from 451 Research reveals that 31% of respondents aren’t always following their data deletion and retention policies—or haven’t implemented retention policies at all. It’s a slight improvement over last year’s study but still a clear sign that too many organizations need to tighten up their data management policies and procedures.
So, how does the way your data is stored help reinforce a better compliance strategy?
The Critical Role Data Storage Plays in Compliance Strategies
GDPR compliance has transformed how organizations approach enterprise data management, storage, governance, and security compliance. In addition to data retention schedules and usage policies, the storage solution underneath can play an important role in compliance.
Security and storage technologies with solutions that help protect against breaches and limit exposure to data loss, reputation damage, and financial penalties are a critical part of any compliance strategy. Here’s what to look for in modern data storage, and how Pure Storage® addresses each, no matter where data is stored:
- Monitoring: Pure1® is a great tool for managing both cloud-based and on-premises products, with AIOps and mechanisms that can help organizations with GDPR compliance. The Snapshot Catalog in Pure1 makes it easier for customers to manage their snapshots and get visibility into how their data is protected. It provides a global view of what snapshots you have, where they reside, and whether they’re in compliance or not. And, Pure Cloud Block Store™ protects cloud data with compliance monitoring and longer-term backup for volume-level restores.
- Always-On Encryption: The high level of built-in security and encryption capability available in FlashArray™ is key to helping achieve data protection regulatory compliance. It can never be disabled, which means it’s always on and always working. Data at rest is secured with AES-256 bit encryption. FlashArray encryption is FIPS 140-2 certified, NIST compliant, NIAP/Common Criteria validated, and PCI-DSS compliant. Kroll OnTrack, one of the industry’s leading security firms, has validated the efficacy of our data encryption and data erasure.
- Automation: Automating as many security compliance tasks as possible, while building in industry-specific compliance, can alleviate the burden of compliance. FlashArray encryption is protected by a sophisticated internal process that removes key management from users. It includes automatic key rotation, periodic key regeneration, and unreadable partitioned keys that are spread over FlashArray flash modules.
- Archiving and Redundancy: For messaging services like TeleMessage, archival storage of users’ messages requires levels of redundancy and strict encryption measures that meet compliance standards depending on each customer, from GDPR, HIPAA and PCI DSS data loss prevention to industry-specific regulations such as FINRA, CFTC, SEC, MiFID in the financial sector.
Coupled with comprehensive organizational security measures, Pure Storage can help you to meet GDPR and other data security compliance requirements and data compliance regulations around the world—without adding more complexity.