GDPR: Do Not Forget About PII Data In Your Non-Production Environment Such As Legacy, Archive, Development, And Test

GDPR- how About PII Data In Your Non-Production Environment.jpg

By Peter Evans

On May 25, 2016, the GDPR (General Data Protection Regulation) became law in 28 European countries, marking the arrival of the biggest piece of legislation ever created on a Global scale. We are now rapidly approaching the date when enforcement of the new law will commence in 2018. The most important and significant thing to remember about the regulation is its global scope — this means that wherever you are in the world, if you hold or process personal data of Europeans, then you and your company must comply.

In the mad rush that is reminiscent of the months leading up to Y2K (yes, I’m that old), it is interesting to see where most enterprises are focusing their efforts in compliance. Huge amounts of capital spend is being invested into products to assist newly-minted Data Privacy Officers or GDPR compliance teams to assess their production systems, discover PII data, and then implement procedures to enhance the regulation of that data.

However, one important area seems to have been totally forgotten in this gallop to the finish line, based on my experience of consulting with many enterprises on their GDPR roadmaps or projects — and that is all of the Legacy data that is currently sitting in mothballed applications, mainframes, and systems that are only kept alive for individual industry regulatory compliance or legal needs.

Most organizations’ plans for GDPR are focusing entirely on their customer-facing and production systems. However, to become GDPR compliant, a comprehensive understanding of the Enterprise data landscape (including legacy or archived data) is necessary. An Enterprise must be able to discover not only which external facing assets collect personally identifiable information (PII) and where it is being stored in current production systems, but also any PII data that has been collected and is still residing with any systems not in production including legacy, archive, development, and test. To be able to do so, organizations should have implemented a Common Data Platform or unified framework.

Sponsored Content

Sponsored Content

However, the majority of the organizations have not yet implemented a Common Data Platform or unified framework, which encompasses all of their production and non-productions systems. Also, most archive platforms are a mismatch of proprietary systems located in the far corner of the data center, drawing the least power possible. Since control of these systems when they were implemented was probably not as tight as it is in today’s modern infrastructure implementations, it can be surmised that most, if not all will contain PII Data to some degree. To enable this data to be placed under control requires organizations to look at using a modern archiving platform to move all legacy system data into a centralized repository, where full regulatory compliance and control can be effectively applied. This data can then be scanned, PII data identified, and reporting can be implemented to ensure that individual requests will be actioned and satisfied quickly and completely — across the whole Enterprise data landscape.

The Hadoop technical framework, or ‘Big Data’ to give it its popular name, lends itself hugely to the task of storing and processing massive volumes of data which can encompass all of the enterprise data (including databases, emails, documents, images, videos, logs, and more) from the various systems dotting the enterprise landscape. Hadoop can effectively be used to create a centralized archive. Its ability to store data “as is”, apply functional control, and encrypt data at rest provides an easy route to enforcing protection and privacy requirements set by GDPR within a centralized and secure location. Added to these basic requirements is the ability to utilize innovative search tools like Elastic Search or SOLR to access the data stored within the archive repository quickly.

Independently of GDPR compliance, there are strong practical and economic reasons for adopting a modern enterprise archive and application retirement project as the relocation of data from legacy infrastructure can result in significant cost savings and information lifecycle management. With the addition of a complex regulation like GDPR, the case for a comprehensive data strategy and technology platform only becomes stronger.

GDPR enforcement date is just around the corner. It is high time for organizations to implement a comprehensive GDPR readiness and sustenance program backed by modern technologies. To be successful, do ensure to include all facets of your organization — including IT, Business, and C level executives.

About Peter Evans

Peter Evans is the Senior Director for Big Data Solutions at Solix. Specializing in Big Data, Data Virtualization, Business Intelligence and Advanced Analytics and a recognized expert in the design, implementation and delivery of bespoke Business Intelligence and Analytics systems utilizing various technologies to a large number of major international companies in over 16 years in the field.

More About Peter