How To Remain GDPR Compliant - Dos & Don'ts
Milind has more than 20 years' experience in enterprise product development and delivery. Prior to co-founding Druva, he worked at Veritas Software as Technical Director for SAN-FS and served on the board of the Veritas patent committee. Milind is passionate about building engineering teams that deliver end-to-end solutions and among his favorite pass-times is philosophizing on software development. His current areas of interest are cloud storage and machine learning for unstructured data.It's been nearly one year since the Global Data Protection Regulations (GDPR) took effect on May 25, 2018. According to the Cisco 2019 Data Privacy Benchmark Study, so far, 65 percent companies in India are ready for GDPR compliance, with the country ranking sixth on the GDPR readiness index. But as much as it has been in the news, you might find yourself wondering: what can I do as a system administrator to help my company comply with GDPR? Before we answer that question, though, let's do a quick review of what the GDPR is.
Privacy First
The GDPR says the subject of the data gets to decide what companies can store their personal data. And before making such a decision, the subject should know why the company needs it, what they're going to do with it, and should be certain it will be stored properly. Among other things, `properly' storing personal data means you will ensure only those who need to see it will be able to see it, and that they will only be able to see it when needed.
Many feel the GDPR simply codified what many would consider to be industry best practices, and many of the regulations do indeed fall into the realm of system and database administration. There are five distinct ways that admins can help their companies comply with GDPR. Let's take a look.
Appropriate Access
Only those who need access to a given data set should be given that access. For example, a doctor should have access to their patient's medical records, but that does not mean all doctors should have access to all patients' medical records. Of course, anyone without a medical reason to have access to a patient's medical records should not have that access.
System and database administrators can help their companies be more compliant by reviewing who as access to different data types and making sure only those who need access have it.
Account Maintenance
Once you ensure that only the appropriate people have access, make sure you have a process for deactivating accounts when no longer needed. Human resources and those dealing with contractors should have a process for notifying the appropriate team when individuals or groups access should be revoked. In addition, there should be some sort of periodic review to make sure that no one has fallen through the cracks.
The more powers a system or data-base administrator has, the greater the `blast radius' if they do something wrong. This is why it is a very good idea to use role-based administration to separate various powers. For example, one administrator might be able to configure new backups and run them, but not have the ability to delete old backup configurations or old back-ups. Perhaps the ability to do restores is limited to only a few people. The more you can separate powers, the safer your data will be overall, and the safer personal data will be.
Encryption is Strongly Encouraged
In addition to having a solid intrusion detection and prevention system, you should consider using encryption for data at rest in case the system is ever circumvented. If a bad actor ever gains access to the data they are not supposed to receive, encryption makes it a non-is-sue. It should be considered for all personal data.
Backups are Not Optional
Backups should not be optional any-where in the data center, but when it comes to personal data and the GDPR, part of the regulation says that such data should be protected from erasure. The only way to properly do this is to make sure you have a good backup and recovery system.
A Good Start
There is a lot more to the GDPR than the things mentioned in this article, but they are a good start. The first one making sure that only those who need access have access is probably the most important one, and the best practice that you're most likely in violation of. Take a look at that first, then take a look at the others. That is, after you've made sure you have a good backup.
Only those who need access to a given data set should be given that access. For example, a doctor should have access to their patient's medical records, but that does not mean all doctors should have access to all patients' medical records. Of course, anyone without a medical reason to have access to a patient's medical records should not have that access.
System and database administrators can help their companies be more compliant by reviewing who as access to different data types and making sure only those who need access have it.
Account Maintenance
Once you ensure that only the appropriate people have access, make sure you have a process for deactivating accounts when no longer needed. Human resources and those dealing with contractors should have a process for notifying the appropriate team when individuals or groups access should be revoked. In addition, there should be some sort of periodic review to make sure that no one has fallen through the cracks.
Separation of PowersThe GDPR says the subject of the data gets to decide what companies can store their personal data
The more powers a system or data-base administrator has, the greater the `blast radius' if they do something wrong. This is why it is a very good idea to use role-based administration to separate various powers. For example, one administrator might be able to configure new backups and run them, but not have the ability to delete old backup configurations or old back-ups. Perhaps the ability to do restores is limited to only a few people. The more you can separate powers, the safer your data will be overall, and the safer personal data will be.
Encryption is Strongly Encouraged
In addition to having a solid intrusion detection and prevention system, you should consider using encryption for data at rest in case the system is ever circumvented. If a bad actor ever gains access to the data they are not supposed to receive, encryption makes it a non-is-sue. It should be considered for all personal data.
Backups are Not Optional
Backups should not be optional any-where in the data center, but when it comes to personal data and the GDPR, part of the regulation says that such data should be protected from erasure. The only way to properly do this is to make sure you have a good backup and recovery system.
A Good Start
There is a lot more to the GDPR than the things mentioned in this article, but they are a good start. The first one making sure that only those who need access have access is probably the most important one, and the best practice that you're most likely in violation of. Take a look at that first, then take a look at the others. That is, after you've made sure you have a good backup.
