Back to overview
06. March 2021

Talking GDPR and CCPA with Storage Switzerland

Regulations like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are requiring organizations to rethink their data.

Regulations like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are requiring organizations to rethink their data.

In “Talking GDPR and CCCA,” Storage Switzerland’s George Crump and Aparavi’s Jon Calmes discuss:

  • What IT should be concerned about when it comes to GDPR and CCPA
  • How these regulations affect current data protection retention applications
  • What your organization will need to change to ensure GDPR and CCPA compliance

Read the transcript below, and stay tuned for more data regulation insights from Aparavi!

Transcript: Talking GDPR and CCPA with Storage Switzerland

George: Hello and welcome. This is one of Storage Switzerland’s 15-minute flash webinars. One of the hardest things I have to do is get a webinar done in 15 minutes, but we’d like to get crisp and to the point. So joining me on today’s webinar is Jonathan Calmes. He is the Vice President of Business Development at Aparavi. Jon, thanks for joining us today.

Jon: Yeah, absolutely. I appreciate you having us on to talk about this.

George: Hey, super quick. Why don’t you give the folks like 20 seconds on what you guys are doing over at Aparavi?

Jon: Yeah. Aparavi is an intelligent multi-cloud data management platform. And that’s fancy talk for we make sure that your data can migrate from your on-premises storage to any number of cloud locations based on the importance of that data. So we help you make sense of the data you have, help define any personal or private information, and then make sure that data goes to the right place and can be managed over a 10-year retention period.

George: Awesome. So, Jon, let’s jump into it. You know, you and I just recently did a webinar with you guys on GDPR and data privacy and all that kind of good stuff. In fact, if you’re watching the event here, there’s a link to that. You can get all kinds of more detail on that. And I know that you just came back from a conference where you guys talked about this a little bit, and I feel like almost every day I’m talking about GDPR or CCPA or something like that.

So, you know, there’s two big ones that sort of started everything. Actually, I’ve got it backwards. The South African thing came first but it didn’t really come into effect. GDPR is, I think, the one that got everybody’s attention. High-level, Jon, what’s the key element from an IT perspective that we need to be paying attention to when it comes to GDPR?

Jon: Yeah. I think it all starts with knowing what you have, knowing what data is sensitive, knowing where your business data…how it affects people within those environments. And then you’ve obviously got to put in safeguards and action items for people, for things like the right to be forgotten, specifically.

George: Okay. And I think the other thing interesting there is a lot of other regulations…I mean, clearly this is not the first set of IT-related regulations that have ever come into existence, but a lot of the prior ones were very focused on data protection, and they generally were focused on a specific data set, like HIPAA would be focused on healthcare-related data. The various financial regulations typically were focused around financial data or interactions with clients and things like that. These type of regulations are kind of broad-sweeping. They cover everything. Right?

Jon: Yeah, they definitely do. I mean, California data privacy law actually excludes HIPAA data. So if you’re a hospital, good for you. You don’t have to worry about this nearly as much as everybody else.

George: Jon, let me interrupt real quick. Hang on. I’ve got a special graphic just for the Californians in the house. There we go. Yeah, I put that in there. I paid extra for that. So if you’re not watching live, there’s a big California sign now on the map. And I think before we jump into CCPA and some of the specifics, I think this is important, because I think there are some U.S. companies that have kind of worked under the guise of, “Well, this is a European problem.” And we’ve tried to explain that it’s really not, and now we’re starting to see U.S. versions of this occur. So, sorry to interrupt but I wanted to put that massive graphic on there and let you continue.

Jon: Absolutely. I mean, I’m going to be really surprised if other states don’t start following the same type of regulations that California has benchmarked, especially with things like the Quora breach and the Starwood Group, the Marriott breach recently. I was on a panel in a room of 200 people and almost every person rose their hand when they were asked if they’ve gotten the data breach notification. So our data is out there, unfortunately, and lawmakers are going to start to feel the pressure to start to regulate this.

George: Yeah, and I think… So real quick, where I cut you off, you were mentioning that the California law excludes HIPAA data. Can you finish that thought for me?

Jon: Yeah. So there are some special things within CCPA which would take probably a longer format to really go through. But some of the things that are found specifically in California, the Consumer Privacy Act, or things like if someone opts out for information, it also covers the sale of that information, which GDPR doesn’t. It establishes specific communication channels. So there’s much more than just storage and software at work here. There are massive policy implications and massive changes to websites and all that that are going to need to happen.

George: I think what’s interesting to me about CCPA is it’s indicative of how this is going to progress. Because I think that there are, as you just said, aspects of CCPA that GDPR didn’t cover. And I think that as we go down the list here, the next one that comes out—let’s say, there’s one from New York, for example—they’ll pick up some more stuff. Right?

And my big fear from the U.S. company perspective is we may look back and say, “Oh, man, I wish we had GDPR.” Because my fear is we’re going to end up with like 50 different regulations, that it’s going to be an absolute nightmare. I don’t know how we can now avoid having a federal law that covers everything. Because otherwise you’re going to have 50 individual mandates you’re going to manage and it will be an absolute nightmare, I think.

Jon: That’s right. And I think a lot of people are terribly concerned about regulation under the current administration, but that’s going to change at some point. You know, I’m not going to get terribly political but as that changes, regulations are going to as well. And I think as businesses cry out toward state regulation, the fed is going to have to step in and provide some sort of global regulation as well. Global in the U.S. sense.

George: And I think, to your point, eventually this becomes a worldwide thing. Obviously, we have the ability to navigate different policies as you deal with with, but I think it will have to be a country-level thing, because otherwise it’s just going to be just real messy.

So let’s talk a little bit, Jon, about what do all these regulations mean. Let’s cut to the chase on it. I will tell you that neither GDPR nor CCPA are exciting reads, but my first impression when I read GDPR cover to cover was it wasn’t crazy. My fear a lot of time with government regulations is like, “Oh, come on.” But there was really not much in there that made me go, “Well, you know…” A lot of it, if you read GDPR, is good old basic data management. What are your thoughts?

Jon: I think you might be unique in that aspect. I think a lot of vendors out there and a lot of people in this space are going, “Oh, man. I’ve got a few years to figure this whole thing out.” I think, specifically, what you do with user’s rights to be forgotten is particularly challenging in an IT landscape.

George: Yeah, I agree with that. I think I probably was okay with everything up until I got to the right to be forgotten context, and I don’t want to set you guys up too easily here. But I think, again, if you are…you know, this always comes back to me, it’s always frustrated me that we look at traditional legacy backup applications as also our archive.

I was in a room full of people speaking a few weeks ago and I said, “How many of you people have backup retention times greater than two years?” And every hand went up. Why? Because I can show you study after study after study that says 99% of the data in a backup is never recovered after the first two days. Right?

So it really…to me, that’s what I mean when I talk about data management. Now, I think, one thing that I don’t want to get too far away from is clearly each of these regulations makes data protection and disaster recovery a high priority. They also, as you mentioned, and I don’t have on here, make data security a key thing. From a CCPA thing, anything unique there along the lines of data protection, disaster recovery, and security?

Jon: It adopts some similar regulations as GDPR. There are safeguards in place such as encryption, things like that. It is a little bit more toothy, we’ll say, on data breaches. So if data is exposed and, even if that data is encrypted but it’s exposed with the potential of encryption keys being leaked or metadata being leaked that could be personally identifiable, there are some pretty big teeth to the California law. I mean, the minimum fine is $2,500 per record. Right? GDPR is kind of like, “It’s a percentage based on the minimum fine of this, but it’s percentage-based.”

So, looking at Starwood Hotels specifically, the Marriott Group, which just released 500 million names, if we do some quick math and say, “Okay, 5% of those people are probably in California, and then maybe 1% of that 5% is on a privacy list,” you’re looking at a $625 million fine, minimum, right? If you can’t address the issue quickly, that fine goes up. If anything is found intentional, like you ignored it for whatever reason, or you had unreasonable protections in place, that fine can go up to 7,500 bucks per record. I mean, that is massive.

George: Yeah, I totally agree. So let’s wrap up with this one, and you kind of touched on it earlier, but one of the big challenges here is the right to be forgotten. We did a whole webinar on this. So, again, the link is in there. But again, traditional backup, I just said, “Look, you just can’t use it for retention.” The way traditional applications store data is counter-intuitive to being able to extract John Smith from the middle of a backup job.

The problem is that archive really can’t be used for backup. Most archive solutions don’t have a consistent way to rapidly get data to them. So we really need a new approach. And that’s where we ran into you guys. So do you want to give us, just in a minute or two, a quick high-level on what you guys are doing?

Jon: Yeah, the graphic is helpful here. But basically, we’ve got a combination of architectures that work together to provide granularity. So the platform is designed to not only help you address data protection from an unstructured data standpoint, but it also really prepares it for that long-term retention. It’s a new methodology that looks at individual records or individual files as unique objects.

So, with that, we can do content-based discovery with context. We can do metadata discovery and really deep searches on the data to help you discover that and then give you options like remove out of the archive or even the backup. And what allows us to do this is our proprietary pruning engine that can look at sub-file increments and remove those from a backup set without corrupting the retrievability of files that might not have anything to do with a private record.

George: Yeah, that makes total sense. I think that method is just going to have to be required as we go forward. So I think that kind of wraps it up. Again, what we wanted to do was give people a real quick, concise overview of what’s going on, give you some resources. All of those are in the attachments and links section if you’re watching the webinar. If you’re listening to the podcast, it will be down below in the show notes when we push that up. So all those resources will be there for you.

The last thing I want to put up is the contact information. So on the graph on the left, you’ll see the Storage Switzerland information. On the right, all the Aparavi contact information. And, again, all of that will be…if you’re listening to the audio-only version, all of that will be in the show notes as well. Jon, thanks very much for joining us today.

Jon: Absolutely. Thanks for having us again, and we look forward to the next time we get the opportunity to chat.

George: Okay. Awesome. Well, I want to thank everybody for listening. If you’re listening on demand, again, you can use this contact information. If you’re listening the audio podcast, there will be a comment section down below the show notes. And, of course, you can always tweet us @storageswiss. I’m George Crump, Lead Analyst for Storage Switzerland. Thank you for joining us today.