What is GDPR?
The new EU General Data Protection Regulation (GDPR) applies to the processing of personal data. It contains mainly information about how personal data should be processed and defines the role of a processor and a controller of data. It also includes information on how to work with data protection by design and data privacy by default.
How does GDPR affect your business?
Small and middle-sized businesses across all industries feel the pressure when it comes to being compliant with the new GDPR laws. Also, in many cases, budgets are often tight when trying to cover the expertise of a data controller or data processor. A large majority of the time, the company itself will become these two entities.
How does Buffalo support you with the challenge?
Buffalo informs you about the new regulations from an IT and hard-/software perspective and will give advice on how to comply with GDPR from a storage solution viewpoint. Buffalo supports their customers with technology offerings, but the controller and the processor within a company are the gatekeepers to the compliance issue. As with most cases, the manpower in a company are the key components to ensuing GDPR compliance.
What is personal data?
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Rights of Data Subject
The data subject obtains the right to request the following: 1. To be informed about data processing. 2. To access their data. 3. To rectify or delete their data. 4. To take their data to another organisation.
For your company, this means that you have to know where their personal data is stored and must be able to respond to their requests in a timely manner. Therefore, businesses should insure that personal data is stored centrally on a server, NAS and/or with a cloud provider. Otherwise it might become difficult and time-consuming to collect and/or process the requested data from the various sources. (If the data is stored in a public cloud you have to make sure the cloud provider (data processor) complies with GDPR).
Additionally, data retention is an important factor to consider – some types of data need to be deleted after a certain time frame, for example, personal data collected in connection to the purchase of a product and the warranty coming with it. In addition, there are other types of data that needs to be stored for a minimum amount of time, such as certain financial data. Information Life Cycle Management software solutions are available from a number of vendors, and will help your organisation meet any industry specific data retention legal requirements. To help you achieve this, you need to have a robust back-up strategy in place.
Data Protection by Design and Data Privacy by Default
These are the two key factors within GDPR that might directly impact your data storage solution. They mean that you have to implement a storage solution that is easy to access and manage and has privacy and protection designed into its foundation. So, if you plan to store your data in-house, your business will be both the data controller and processor and therefore, will be fully liable to the repercussions should any of this data be hacked or the regulations breached. If you plan to go for a public cloud or hybrid-storage solution, it is the responsibility of the business to ensure that both yourself and the third-party provider are GDPR compliant.
If personal data is stored in-house on a server or NAS or other devices, the storage solution should provide the following features:
- Password protection – Devices and files/folders that contain personal data should be protected by passwords and only accessible to users who have the permission to access and/or process the data,
- Encryption – data should always be stored and transferred encrypted,
- Physical protection from theft / loss – devices that store personal data should be protected physically (e.g. a NAS by a Kensington lock, HDDs in a server or NAS with keys etc.),
- Anti-virus Software,
- Firewall Protection,
- Backup and Restore – your backup should be automated and done on a daily basis so that in case of data loss you can retrieve the (personal) data and can be sure that is recent and correct data,
- Avoid system downtime or data loss by choosing a storage device that provides RAID redundancy and protects against hard drive failures,
- Centralised storage should be preferred over local storage on PCs, laptops or external or portable hard drives, as these are more prone to theft or being accessed by an unauthorised person and are difficult or impossible to be controlled in terms of who accesses and processes data on them.
Risks and Solutions
SMBs should also take care of having experts as a processor and a controller to ensure compliance. For more information on other aspects such as breach notification, consent, accountability principles, documentation on processing activities, staff sensibilities and training etc. please check regularly information on GDPR on the website: http://www.eugdpr.org
Osamu Tomita, Marketing and Business Plan Director for Europe says: “Customers are first for Buffalo. We provide them with high quality products together with valuable security features. Buffalo NAS are the securest NAS on the market, third party Apps cannot be installed without approval and permission from Buffalo’s engineering team. The local set up and management of the TeraStation with passwords strengthens the level of security and protection of data. The encryption of data is a must in this environment to assure unauthorised disclosure or access. TeraStation 5010 and TeraStation 3010 are the ideal NAS systems to cover all the security features mentioned.”