IBM Systems Magazine, Power Systems - March 2018 - 22
"If you're able to deepen the trust
relationship with your clients by showing
transparently that you're handling their
personal data in the right way, they're
likely to trust you with more personal
data that you can then use to better tailor
goods and services to them."
-Richard Hogg, global GDPR evangelist, IBM
but it does relax the regulation
somewhat (e.g., allowing such
data to be repurposed without
requiring a new consent from
the data subject).
provides an additional means
of protecting data from
unauthorized users. In the
event an organization using
encryption has a data breach,
the organization is authorized
by GDPR to ignore the otherwise
compulsory notification rule.
Article 30, a key provision,
covers creating and maintaining
records of processing activities.
This should include essential
details such as what kind of
data is being stored, where it is
being stored, who will access
and process data, etc. This
information should be supplied to
the data subject on request.
One of the major challenges of
the new legislation is that it
doesn't exempt existing data.
With that wrinkle, implementing
the four rights of data subjects
becomes more difficult.
22 // MARCH 2018 ibmsystemsmag.com
It's one thing to build a
database and application
designed around the regulation;
it's another to apply the standards
to legacy data that may not be
stored in a way that is compatible
with required operations.
If an entry is just a row
in a database, deleting it is
straightforward. The problem is
locating other copies that may be
in the archives or backups.
"It's a whole other challenge
to somehow go back and find
that data, and then if you do
find it, how do you restore it?"
Hogg observes. "How do we
remove just you from that offline
archive backup database that's
on who-knows-what kind of
backup media? Where across all
of the backups that we've done
over the last seven years is your
information and how can we just
delete it without breaking the
referential integrity of the online
or offline application?"
Just as moving from one
location to another compels
a homeowner to eliminate
unnecessary belongings and
better organize the rest, the
process of complying with GDPR
creates a framework for improving
data processes and governance.
"So many organizations have
been misusing backup as a form
of archives, whereas it really
should be used for disaster
recovery," says Hogg. "And too
many of us have been keeping
backups or archives for way
too long. There's a potential
that we need to review current
applications as well as practices
of online, near line, and offline
backup of archives."
"I talk to clients who may or
may not delete data at all," says
Fritz. "This is going to force them
to at least know where they have
personal information and realize
that they may not be able to keep
data forever, which can help reduce
both security and privacy risk."
Part of the reason GDPR is getting
such attention is that the law
includes significant penalties for
For upper-tier infringements
such as violating the rights