What are Data Protection Principles?
Data Protection Principles practice safeguarding data from loss, corruption, or compromise. It involves ensuring the privacy and safeguarding of data from compromise. Data protection includes data integrity, data privacy, protection from errors and corruption, and guidance on the use of data by businesses.
The concept of data protection applies to personal, business, public entities, and political and international data. It is becoming more critical as the volume of data collected and stored digitally on online platforms rises.
Why Data Protection?
- Protect personal data from being misused, mishandled, or exploited
- Ensure that the fundamental rights and freedoms of providers of data are being upheld
- Ensure fair and friendly practices in commercial activities between consumers and businesses
- Placing responsibilities with organisations on handling personal data
- Provide greater control and understanding to individuals over how their data is collected and used
Data Protection Principles
Data protection principles fall under the General Data Protection Regulation (GDPR), an EU data protection and privacy regulation. The GDPR’s main aim is to give people control of their data and simplify the regulatory environment for international business.
The GDPR’s seven principles deal with the lawful processing of personal data. Data processing encompasses the following processes: data collection, organising, storage, structuring, altering, consulting, usage, erasure, destruction, communicating, or restricting.
GDPR Protection Principles
1. Lawful, Fairness, and Transparency
The processing of data by organisations should be lawful, fair, and transparent. Organisations should ensure that their data processing activities do not break the law. The lawfulness part entails being knowledgeable of GDPR data collection rules.
2. Purpose Limitation
Data should be collected for a specific, explicit, and legitimate purpose. The collection purpose should be clearly articulated, and no additional processing should be done that is incompatible with that purpose.
However, data processing for archiving purposes in the public interest or for scientific, historical, or statistical purposes is not deemed incompatible with initial purposes and hence is given more freedom.
3. Data Minimization
The processing of personal data must be adequate to what is necessary concerning the purpose of the collection. It ensures that in the event of a data breach, cyber-criminals will be able to access a limited amount of data. Data minimisation also enables keeping accurate and up-to-date data.
The processing of personal data should only be conducted if the purpose cannot be achieved by other means. Therefore, data minimisation entails ensuring that the period for storing personal data is limited to a bare minimum.
Organisations must ensure that personal data is accurate and reasonable steps must be taken to erase inaccurate and incomplete personal data. Data that is not updated can be inaccurate, and data is as accurate as the purpose for which it is being processed.
Therefore, inaccurate data should be erased or rectified within the shortest possible time. Furthermore, at the point of collection, the data, the source, and when it was collected should form part of the data record.
5. Storage Limitation
Personal data should only be kept in the system for as long as necessary and should be deleted after it serves the purpose for which it was collected. Hence, it is essential to regularly review collected data to see if it is still required for its initial purpose.
In addition, organisations should adopt a policy for retiring personal data, i.e., for a definite time. However, the time limit for storing personal data should depend on the reason it was collected and the type of industry in which an organisation belongs.
6. Integrity and Confidentiality
Integrity and confidentiality deal with data security. It states that data should be processed to ensure its security, including protection against unlawful or unauthorised access, accidental loss, and destruction or damage. Suitable technical or organisational measures should be taken to ensure data security.
The GDPR does not recommend any specific technical or organisational measures but leaves it to the organisations in light of the ever-changing technological and corporate best practices. Some standard techniques would be to encrypt personal data to ensure its security.
Organisations must demonstrate compliance with the GDPR principles and show accountability in handling personal data protection. Hence, they must indicate responsibility in processing personal data. In addition, if organisations are not clear on how to comply with the GDPR principles, they should take appropriate training courses or consult a legal practitioner.
Data Protection Principles & Strategies
Organisations use a variety of strategies to ensure the protection and security of organisational data. Below are various ways data can be lost or stolen and the strategy deployed to address such challenges/failures.
1. Failure of Storage Systems
Media that store data can fail or become corrupted, leading to data loss. The strategy here is to ensure that data is available even in media failure.
Synchronous Mirroring: One strategy to counter data loss is to use synchronous mirroring, where data is stored on both on-site storage and a remote site simultaneously. Mirroring ensures the two sites are identical.
RAID Protection: RAID (Redundant Array of Inexpensive Disks or Redundant Array of Independent Disks) is a good alternative as it requires less overhead capacity. Physical drives are combined into a logical unit that will work as a singular drive to the operating system. RAID works because data is stored in different areas on multiple disks. Performance and protection increase as the input/output operations overlap in a well-adjusted way.
Erasure Coding: The erasure coding technology is used in scale-out storage environments. It uses parity-based data protection systems, which write both data and parity across a cluster of storage nodes. All the nodes in a cluster help each other in replacing a failed node.
Replication: Replication is another strategy for scale-out storage in which data is mirrored to multiple nodes. It is simpler to erasure coding but consumes at least twice the protected data capacity.
2. Data Corruption
Snapshots: Snapshots can be used to restore accidentally deleted or corrupted data. Snapshots can be used with various storage systems such as SQL Server and Oracle. They capture a clean data copy while the snapshot is running, enabling recurrent snapshots that can be stored longer. Therefore, when data is corrupted or deleted accidentally, a snapshot can be loaded, and the data is copied back and replaced. Snapshots ensure minimal data loss and instant recovery.
3. Failure of Storage System
Snapshot Replication: Snapshot replication, where replication technology is built on top of snapshots, prevents the failure of multiple drives in data centres. Snapshot technology copies data structures altered from the primary storage system to an off-premises secondary storage system. It is also used to replicate data available for recovery if the primary storage system fails.
4. Data Center Failure
Snapshot Replication: Data is replicated to a secondary site in snapshot replication. The only drawback is the exorbitant cost of maintaining a secondary storage site. However, the loss of a data centre usually requires a disaster recovery plan to deal with its timely functional restoration.
Cloud Services: Cloud services entail using replication together with cloud backup services. It enables speedy recovery in the event of the breakdown of data centres by storing the most recent data copies pertinent in case of disaster.
Trends in Data Protection
Ransomware holds personal data hostage from consumers and forces them to pay a ransom to get it back. Over time, ransomware has become more sophisticated and advanced. It can infiltrate the system over some time such that when a backup is done, the backup will contain the ransomware as well.
IT experts are constantly working on countering ransomware. The inability to deal with malware means organisations will not be able to roll back clean backup data, leaving data unprotected. It is crucial to ensure backup data is protected.
Hyper-Convergence Infrastructure (HCI)
Hyper-Convergence Infrastructure (HCI) is a unified system that combines traditional data centre elements with storage, computing, networking, and management. Data protection capabilities integrated into hyper-converged infrastructure slowly replace data centre equipment, decrease data centre complexity, and increase scalability.
Vendors offer backup and recovery equipment that supports both hyper-converged and non-hyper-converged environments. You can build a private cloud with HCI, extend it to a public cloud, or achieve a true hybrid cloud.
Copy Data Management (CDM)
The Copy Data Management (CDM) technology cuts down on the number of copies of data that need to be saved, which reduces the overhead for storage and data management. CDM also simplifies data protection, increases productivity, and lowers administrative costs.
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning are being adopted to detect potential attacks before they materialise. They can play a significant role in data protection measures.
Internet of Things (IoT)
Extra data protection measures are needed due to the interconnectedness of devices, as attackers can find it easy to penetrate the system. Protection of data in inter-connected devices is crucial to ensure users’ privacy.
COVID has only accelerated the digital mindset. But the digital world brings its own set of issues and problems, data protection being one of them. Balancing risks and rewards is the need of the day.