The GDPR encompasses a broad-ranging set of legislation, unifying fragmented data privacy and protection laws across Europe, and placing stringent demands on organisations to be disciplined when handling personal data.
It has sparked attention across the globe, as even companies not based in the European Union are forced to comply (if, for instance, they have customers who are EU residents, or if they have an EU-based subsidiary).
Companies found guilty of violating the GDPR could face crippling fines: up to the greater of EUR 20 million or four percent of annual turnover.
In Africa, legal commentators have drawn parallels between GDPR and South Africa’s incoming Protection of Personal Information Act (POPIA) – slated for enactment into local law within the coming months.
POPIA will govern the way that local firms collect, use, store, share and destroy personal data. It demands that organisations have controls in place to safeguard customers’ personal data from being compromised or stolen.
Benefits to local companies
“Data privacy and protection will certainly be a dominant theme in business – both internationally as well as locally – over the coming years,” notes the Managing Director at Networks Unlimited Africa, Anton Jacobsz, a value-added distributor representing Rubrik in Africa. “To ensure immediate impact, lawmakers may well look to make an example out of companies violating the principles of GDPR and POPIA.”
The GDPR defines the roles and responsibilities of data controllers and data processors, guiding organisations on a number of data management aspects.
These include the need to have a lawful basis for processing of personal data, rules on how to process that data, transparency about use of the data, the ability to retain data for only limited periods of time, and the obligation to take steps to ensure the ongoing accuracy of the data.
“Considering the breadth and scope of the regulations, no single technology solution can guarantee total compliance, straight out-of-the-box,” says Jacobsz, adding that Rubrik’s solutions help to cover many of the bases.
“Ultimately, organisations must holistically consider every aspect of their business – from technology, to people, processes and systems.”
How Rubrik addresses GDPR’s requirements
A recent Rubrik whitepaper – ‘Get prepared for GDPR compliance with Rubrik Cloud data management’ – explores just how Rubrik’s data management solutions can assist with GDPR compliance.
Let’s look at some of the key points:
GDPR Article 32(1)(a) states that organisations must ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk… including encryption of personal data’.
Rubrik’s solutions include software-based encryption and option for FIPS 140-2 Level 2 encrypted SEDs. These are designed to ensure data security in the face of high data growth – securing data at-rest as well as data in-flight. To provide further aerial cover in the war against attackers, key management can be conducted internally via Rubrik’s Trusted Platform Module chip or with a KMIP-compliant external key manager.
GDPR Article 5(1)(f) refers to ‘protection against unauthorised or unlawful processing… destruction or damage’
Rubrik supports ISO detection of tampering, even when the system is powered off, to support compliance with this aspect of the regulations.
Article 32(4) demands that firms ‘ensure that any natural person… who has access to personal data does not process them except on instructions from the controller.’
With role-based access control and multi-tenancy features, Rubrik’s customers can set up various organisations and role profiles, segmenting duties and restricting access to minimise the chance of any improper processing.
Rubrik brings an innovative cloud-based framework for secure data and metadata isolation by virtualising all resources so that organisational units can share allocated resources in a secure, isolated fashion.
Articles 5, 17 and 24 address policy-based automation and management
In keeping with the principle of data minimisation, Rubrik’s policy-driven automation can be used at a granular level to limit personal data retention by setting individual policies for databases that house personal data so that only relevant and necessary data is stored.
Firms can also establish policies to retain snapshots containing personal data for limited periods, to address the GDPR’s ‘Right to be Forgotten’ provisions. If a data subject requests that their personal data be deleted, one only needs to delete that data in their production environment. Personal data will be aged out of the organisation’s backups after the retention period expires.
Articles 5 and 32 address ransomware protection
Ransomware attacks are an inevitable feature of the modern cyber-security landscape. But even if an attack is successful, all applications and data ingested by Rubrik are stored in an immutable manner (so that previous snapshots cannot be corrupted in the event of a Ransomware attack).
GDPR and POPIA certainly thrust data protection into the spotlight. But instead of fearing the consequences, organisations can equip themselves with the right tools – to stay on the right side of the law, and engender trust among their customers.