Key Points for Keeping Your Mainframe GDPR-Compliant
The GDPR is coming soon. That could mean changes to how you manage data and workloads on your mainframe — even if you’re not in Europe.
What is the GDPR?
As most of us have learned by now, the General Data Protection Regulation, or GDPR, is a new European Union compliance framework that imposes a broad set of requirements on the way organizations store consumer data, among other types of information. It goes into effect on May 25, 2018.
The GDPR has been one of the hottest topics of discussion in the tech industry in recent months. That is not only because of the significant new data management challenges that it creates, but also because the law will impact organizations across the world, not just in the European Union.
Does the GDPR Affect my Mainframe?
Although it remains to be seen how aggressively the European Union will enforce the GDPR for companies that are not based inside its jurisdiction, the law requires compliance by any company that operates within, has users based in or stores data in the European Union.
That’s a long way of saying that, if you have a mainframe, the GDPR data management requirements may apply to it, even if the mainframe is not inside the European Union. If your company has any kind of presence in Europe, you may need to bring your mainframe data management practices up to speed with the GDPR, along with those of the rest of your infrastructure.
Keeping Your Mainframe GDPR-Compliant
What does that mean in practice? A full discussion of how the GDPR could impact mainframes, including those outside the European Union, is too long to fit into this article.
However, following are key pointers to keep in mind to make your mainframe GDPR-compliant:
The GDPR requires that companies allow consumers to assert their “right to be forgotten”. That means that anyone whose personal data you store on your mainframe can ask to have that data deleted permanently, and you have to comply. Permanent data erasure means not only removing data from the mainframe, but also from backups. Does your current mainframe data management and backup strategy enable you to accomplish this task? If not, it may be time to rethink that strategy.
Under the GDPR, organizations that store data have to respect data sovereignty, which means controlling where data is stored and who can access it. This is a major challenge for enterprises, whose data storage systems were not traditionally designed with data sovereignty in mind. In one way, GDPR data sovereignty requirements could be good news for the mainframe industry, since data stored on a mainframe is usually easier to control than data that exists in the nebulous, sprawling public cloud. On the other hand, mainframe access control policies may need to be updated to adhere to the GDPR requirements. If your access control systems were designed years ago, it’s probably time to rethink them.
Timely data recovery
Under the GDPR, backing up data is not enough. Organizations must also be able to recover data in a timely fashion. The GDPR is somewhat ambiguous regarding how quickly data must be able to be restored from backups to production systems; it doesn’t set hard numbers. However, it does require organizations to put forth a good-faith, reasonable effort to ensure quick data restoration following a disaster.
In many industries, mainframes store data that is intimately linked to individual consumers, like bank and travel records. The GDPR does not prevent this type of data storage, but it requires that data be “pseudonymized.” In other words, personal information, such as email addresses and phone numbers, should not be directly linked to the real names of individual consumers. In many cases, meeting this requirement for mainframe data will require an overhaul of mainframe data structure and storage techniques.
One of the more basic data security requirements that the GDPR imposes is that data be encrypted. If your organization is at all security-aware, you are probably encrypting data already. However, given that mainframes in some cases are treated as legacy systems, not necessarily connected to the public Internet and may not be held to the same security standards as other parts of the infrastructure, there’s a decent chance that mainframe data encryption is not a part of your routine. Under the GDPR, it needs to be.
If you want to learn more about GDPR compliance and how Syncsort can help, be sure to view the webcast recording of Michael Urbonas, Syncsort’s Director of Data Quality Product Marketing, on Data Quality-Driven GDPR: Compliance with Confidence.