How LTO Ultrium tape can support a GDPR compliant data processing system
In today’s blog, which accompanies a new White Paper, I’d like to explain how HPE StoreEver tape storage solutions offer a number of benefits for businesses considering their General Data Protection Regulation (GDPR) compliance strategy. Please be aware that this article is not intended, and should not be used, as legal advice about the content, interpretation, or application of the GDPR.
What is the GDPR and what are its aims?
By now, most readers will be familiar with the GDPR. In simple terms, it’s legislation developed to strengthen and unify data privacy protection for natural persons within the European Union. It can impact any business, regardless of location, that processes European individual personal data.
The primary objective of the GDPR is provide rules relating to the protection of natural persons with regard to the processing of personally identifiable information (PII). The key principles of the GDPR in relation to the processing of personal data are: lawfulness, fairness, transparency, scope for purpose, data minimization, accuracy, integrity, confidentiality and accountability.
In essence, the GDPR means that safeguards for personal data will have to be designed into the very fabric of how personal data is captured, managed, used and stored during its lifecycle. While this might appear challenging, for many organisations GDPR is actually an opportunity to gain better insight into where personal data is gathered, used, and stored in order to assess the robustness of how it is protected.
It’s worth re-iterating that GDPR is explicitly ‘technology neutral’1 so that the protection of individuals’ rights in respect of their personal data is not dependent on the methods used. The GDPR does not recommend or exclude any single storage technology as a means of compliance. Enterprises will probably need to evaluate their options and choose a mix of solutions depending on which aspect of compliance they are trying to address.
HPE StoreEver tape offers some compelling benefits when it comes to GDPR compliance.
The benefits of encrypting personal data using LTO Ultrium tape
Encryption – a key feature of LTO technology - is one of only a few techniques specifically mentioned by the GDPR in the context of data protection and security2. And when it comes to encryption, tape is a highly efficient and effective data protection solution for several reasons.
- Firstly, HPE LTO drives use the 256-bit Advanced Encryption Standard with Galois/Counter Mod of Operation (or AES256-GCM for short). AES256-GCM confirms to specific US and international standards published by a number of standards bodies.
- Secondly, it’s the tape drive or tape library itself that is doing the major task of encrypting terabytes, or even petabytes, of data ‘on the fly’ instead of data being passed through an expensive secondary appliance. So tape encryption is much cheaper and places less of a burden on your network.
- Thirdly, because the tape device manages the encryption process, there is no performance degradation for compression or encryption3, which offers massive benefits in terms of data throughput – e.g. in comparison to software or appliances that create additional server workload.
How tape encryption can mitigate the impact of a data breach as defined by GDPR
Tape encryption may also help customers minimise risk and make it easier to comply with critical GDPR requirements, such as data security.
Article 344 of the GDPR states that in the event of a personal data breach, controllers are obliged to communicate the incident to the data subject “without delay”. But Article 34 also says that this communication will not be required if the personal data has been rendered unintelligible through the use of encryption.
The ability of LTO Ultrium tape devices to encrypt large amounts of data quickly and easily may help reduce administrative workloads and mitigate the risk of GDPR non-compliance for enterprises processing personal data at scale.
In the worst-case scenario of personal data being lost or stolen, which would constitute a data breach under Article 4 (12), if the data was encrypted, then Article 83 says that due regard shall be given to “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them”. Encryption is specifically mentioned as one of the technologies that may mitigate the risk of data breach (e.g. “taking into account technical measures…..implemented by them”) and by association, the consequential penalties.
How offline tape storage enhances the security of processing under GDPR
Another core benefit of tape technology relevant to security of processing considerations is the fact that tape is essentially an offline storage medium and can be placed in a controlled and secure facility to reduce the risk of data loss or disruption caused by cyberattack, malware or other hostile intent.
It would be very difficult for a malicious individual to gain authenticated system access and then access to the tape library or vault where data was being stored. And even if they managed this feat, they would still need the encryption keys to be able to read the data from the tapes.
Deployment of tape, therefore, may greatly increase the resilience of an organisation to recover personal data in the event of a physical or technical incident and lessen the potential risk of GDPR non-compliance.
The TCO benefit of tape
PWC points out (in their white paper “Technology's role in data protection - the missing link in GDPR transformation”) that there is likely to be a cost/benefit aspect to any assessment of the risks of GDPR non-compliance. In a recent study, analysts ESG concluded that tape offered an 88% TCO advantage over disk and a 66% advantage over cloud for archiving data over a ten year period. Since tape has very low TCO compared to disk and cloud, it can help companies manage their risk more cost effectively. Business can protect large quantities of personal data securely and relatively inexpensively, which might help mitigate storage costs and accelerate progress towards GDPR compliance by freeing resources to be deployed elsewhere.
Finally, it’s important to remember that the GDPR relates to personal or PII data. The digital datasphere – which IDC forecast will be 163 ZB (163 trillion GB) by 2025– will contain vast quantities of commercially valuable, non-personal data for which tape undoubtedly remains the pre-eminent platform for long term retention because of the advantages of low cost, security and scalability.
There may not be a better business case for organizations to fortify their cybersecurity and risk management portfolios than the GDPR. The need to meet the higher data protection standards of the GDPR will offer organizations the opportunity to streamline IT, enhance server infrastructure security, and improve data management.
Hewlett Packard Enterprise is focused on the new world of threats and how to best protect against them. HPE StoreEver tape storage solutions can assist your organization with its GDPR compliance.
Download: How LTO Ultrium tape can support a GDPR compliant data processing system
1 Recital 15 - https://gdpr-info.eu/recitals/no-15/
2 Recital 83 - https://gdpr-info.eu/recitals/no-83/ “In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”
3 A HPE LTO Encryption Technology White Paper is available here
4 Article 34 - https://gdpr-info.eu/art-34-gdpr/