With GDPR just around the corner, data security has been enjoying some much-needed time in the limelight. Never before has there been such a hyper-focus on the protection of sensitive data, particularly confidential and personally identifiable information (PII) such as healthcare records, personal data, financial information, and legal records. While data privacy conversations have more traditionally revolved around identify theft issues, the new GDPR regulation prioritizes the fiduciary responsibility of all sensitive and personal information.
Savvy organizations began planning and implementing their GDPR compliance programs months ago. Because of the numerous ways in which GDPR mandates data privacy across all storage media and within all facets of an organization, a comprehensive compliance program requires a well-researched, detailed approach with multi-departmental buy-in and execution.
For example, a healthcare provider possessing sensitive patient data in the form of medical records is obvious. What would not be so obvious would be the numerous other places where a patient’s PII may reside. The scheduling department keeps PII such as address and birthdate, the billing department has financial and insurance information, while the marketing department may possess email and browsing data for patient communications. And let’s not forget the backup servers. Personal data is literally everywhere.
Safeguarding sensitive data throughout an organization is critical, and many organizations are well aware of the need for firewalls, passwords, physical security measures, encryption, and employee training. What may be more of a need and challenge for some organizations is GDPR’s Article 17 Right to Erasure, also known as the “right to be forgotten.” While it is not an absolute, the basic premise of Article 17 is that an individual’s request to have his data removed must be honored within 30 days. In some instances, the request is not realistic. For example, banks must retain records for a minimum of seven years, so deleting the data would be in direct conflict to an existing legal mandate. However, Article 17 states that individuals have the right to have their personal data erased without undue delay if the data is no longer necessary for the purpose for which it was originally processed or collected, and this applies in a large number of cases with consumer transactions.
Consumer transactions typically include the storage of personal information such as address, phone, and payment information. While large organizations may have their own servers and storage solutions and are therefore more easily able to purge a consumer’s data from their system, the thousands of smaller organizations typically rely on outside vendors and cloud storage providers to manage their data. Data stored in the cloud is actually housed in data centers, where data is duplicated across multiple drives in an effort to create redundancies that help to mitigate data loss when drives fail — and drives DO fail on a very regular basis. After all, these drives are running 24 hours a day, seven days a week, year-round, so their life expectancy is understandably rather short. When a drive fails, the data it contains is still for the most part intact. Therefore, a comprehensive data disposition program should always include drive destruction so that personal data is not compromised at end-of-life. But end-of-life is only part of the problem. Smaller organizations and others who outsource their data storage must confirm with their providers that their data removal policy is GDPR compliant and must include policies and procedures for the Right to Erasure in their GDPR programs.
GDPR is a broad and encompassing regulation that is actually long overdue. While implementing a GDPR program is proving to be more challenging than organizations may have originally thought, particularly with regard to Article 17 and the Right to Erasure, the safeguarding of data and the diligent focus on data privacy have been positive results of GDPR. In a time where data breaches and identity theft are increasing exponentially, the implementation of a means by which to protect our privacy and security is most welcome.