Backup data and the “Right to be Forgotten”
The European Union’s GDPR and California’s CCPA are heavily focused on people’s “right to be forgotten”. These laws mean that anyone can now require a company to delete all personal data they might have on them, and companies that don’t comply face stiff penalties.
At Igneous, we get asked all the time “who is responsible for removing someone from backups if they want to be forgotten”? Spoiler alert - it’s you. Does that mean you need to wipe the whole backup? Or does your backup solution support removing specific data? Igneous was built with use cases just like this in mind. Our remotely-deployed software enables users to easily search for and delete data. Igneous takes care of the hard part automatically.
Data privacy is vitally important for industries like healthcare, life sciences,and financial industries that routinely collect personally identifiable information (PII) in file data, but really every organization needs to be paying attention. PII often lives in both data and metadata (data about other data). And if your file structure scheme includes PII in the path, then you have to worry about that, too.
These laws are only the beginning. A number of US states have enacted, or are in the process of enacting, their own data privacy laws. Nevada already has one. Maine’s goes into effect on July 1, 2020. Illinois, New York, Washington State and as many as eight other state legislatures are all working on laws that are more restrictive than CCPA.
So what is a data manager to do?
Remember: Backups are not active data
The French National Commission on Informatics and Liberty (CNIL), the organization that oversees enforcement of the GDPR’s right to be forgotten regulations, has some guidelines for data backups.
CNIL doesn’t consider backups that are not being used in normal day-to-day operations to be “live” data, therefore it is not subject to the regulation. This makes sense - the data isn’t actively being used and is not available to most of the organization for any purpose.
That all changes when data is restored. Let’s say you delete someone’s data but later it is restored along with something else you needed to get back. Suddenly the PII that was deleted is back! To remain in compliance with GDPR, the PII has to be deleted again. CNIL suggests that a list of all deleted data for GDPR compliance be kept so that restored data can be checked and, if necessary, data can be deleted again.
As of this writing, the CCPA isn’t clear about backups but is headed in the same direction. In early February, 2020, the California Attorney General proposed amendments to the CPPA that say as much: “If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.” Those proposed changes are in review now and will likely become part of the law.
Policies should be published
CNIL also recommends that organizations be upfront and clear with individuals as to what will happen to their data when their erasure request is fulfilled including data in backups.
Igneous is committed to helping organizations with large amounts of file data that are on the hook to comply with new data privacy laws. Our data management platform includes many features that make complying with these laws easier, faster, and more accurate.
How Igneous can help
Finding the Data
If you need to delete someone’s data you have to be able to find it first. "One of the issues that data center managers have is that they don't know where all their data is," said Ameesh Divatia, CEO at Baffle, a Santa Clara-based data security company. “It's a massive data management problem." Igneous allows data managers to quickly search huge amounts of protected file data in seconds across their entire enterprise. If Igneous is managing it, you can find it quickly. Petabytes of data and billions of files can be searched and then acted on immediately. This includes doing deletion within backups and archives. And we are not done yet-- this spring, we’ll release an enhanced search experience, allowing users to find and filter file systems across any organization, regardless of if the data is protected or not.
GDPR and Cloud Backup Targets
One fear when moving to cloud storage for backup are the runaway transactional costs associated with managing and removing data. If not properly managed, right to be forgotten requests could potentially balloon these costs. A traditional system is ‘naive’ - immediately deleting files from cloud storage on request. This can be very expensive since minimum retention periods and transaction costs make deleting a file more expensive than storing it. Igneous helps control those costs by decoupling expiration and deletion from compaction. Our software instantly removes deleted files from the list of active files making it unretrievable to the organization. This satisfies the requirement for “deletion”. When it makes sense economically (i.e., when cloud storage costs start to outweigh transaction costs), Igneous automatically removes the data from the cloud. With Igneous, compliance doesn’t have to add any additional costs.
Mileage may vary
For some organizations, data may fall under other regulations that conflict with the right to be forgotten. For example, if your data falls under SEC Rule 17a-4 you can’t delete it for 7 years. GDPR and CCPA are sufficiently flexible to coexist with retention regulations but you need to be aware of the challenges before you talk to legal (or before they talk to you). If you don’t have a game plan, a lawyer’s opinion might lead you down a road of technical oblivion.
In the end, every organization has to evaluate their own operational needs and their tolerance for risk to know exactly how to manage compliance. Need some help along the way? Igneous would love a chance to make managing your data and compliance easier.