Embed Size (px)
Citation preview
A SHORT GUIDE FOR ACADEMIC INSTITUTIONS
White PaperNETWORK ATTACHED STORAGE – GDPR COMPLIANCE
GDPR compliance and virtual learning benefits for academic institutions
2
White Paper Network attached storage – GDPR compliance
The General Data Protection Regulation (GDPR) comes into force on May 25, 2018. GDPR is a hot topic, and much of the media focus and headlines have been on the sanctions for organisations that don’t comply, such as fines of up to €20 million.
But as Elizabeth Denham, Information Commissioner, says: “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”Under GDPR, academic institutions are known as ‘data controllers’ and as such they have responsibilities and obligations to ensure the information held on individuals is handled correctly and is secure.
The more work learning industries do to be as compliant as possible and maintain on-going compliance, the less likely it is that a breach will occur.
Within this context, in the event of a data breach, the Information Commissioners Office is likely to look more favourably on an education establishment that has taken their obligations under GDPR seriously and done all they can reasonably have been expected to do to protect the personal data of individuals.
Safeguarding children
Arguably the most significant aspect of GDPR for academic institutions is the processing of children’s
personal data. Within the provisions of GDPR children are identified as ‘vulnerable individuals’ and in need of ‘specific protection.’
Most faculties will understand how this impacts them and that GDPR is not being introduced as another administrative burden, but rather to protect children (and staff) from having their data disclosed to people and or-ganisations that have no right to access that information.
What do education industries have to do?
Given that the GDPR deadline is close, key deci-sion-makers in the academic institutions will be con-scious of the data policies and procedures that may need to be updated, as well as the need to strengthen IT security.
If an institution is already complying with the Data Pro-tection Act (DPA), then chances are it already has some strict policies in place. Whilst a number of the GDPR’s main principles are simi-lar to those in the DPA there are inevitably new elements and significant enhancements, meaning academic insti-tutions may have to do some things differently.
One of the most important areas academic institutions will have to consider is data storage and the process of backing up and restoring data.
GDPR
3
White Paper Network attached storage – GDPR compliance
Backing up data and GDPR
Data backup and data restore is essential under GDPR. The regulation states specifically that organisations must have:
The ability to restore the availability and access to personal data promptly in the event of a physical or technical incident
A process for regularly testing, assessing and eval-uating the effectiveness of technical and organisa-tional measures for ensuring the security of the [data] processing
In short, academic institutions need the ability to recov-er lost personal data that they hold in a timely manner. That is they must have the necessary backup and disas-ter recovery strategies in place.
Regular data backups are essential
It’s an excellent question to ask how often data is backed up. If backups are not already automated then academic institutions will have to consider increasing the number of times backups are conducted. GDPR requires that data be available at all times so backed up data needs to reflect the live data.
Further, if the academic institutions share personal in-formation with third parties, it needs to be satisfied that those third parties have also taken the steps necessary to be GDPR compliant.
Viruses and ransomware
With the rise in malware and viruses, including ransom-ware, the need to ensure that data is safely backed up is equally pressing. If an academic institution is infect-ed with ransomware, it affects all onsite systems and typically requires an academic institution to rebuild its network from scratch using uninfected data from a stor-age backup.
This is evidence why important information should be protected with a recovery plan, in which data is copied over to a protected system that can be accessed when those files are needed.
Wider issues concerning data backup
The amount of data on an academic institutions network is always growing with more important data stored than ever before. But the loss of data even for a short time can have a significant impact on the teaching and learn-ing in an academic institution.
It is therefore essential, even from this perspective, that data is always backed up, and there is a plan for recov-ering from a system failure.
Data backup options – the cloud
Some institutions are considering backing up their data in the cloud. Given the increasing prevalence of cloud-based technologies and the large marketing investments to promote these services, this is understandable. However, for academic institutions considering this op-tion, several points need to be kept in mind:
Cloud services are typically costed on an annual ba-sis. However, costs can climb each year, and there is a danger that academic institutions get locked into contracts that become incrementally expensive. It’s entirely feasible that costs could double over the course of a contract.
What happens when data storage limits exceed? Most cloud contracts are based on specific data quantities. Given that data on most academic insti-tutions networks increases annually what extra costs are incurred when storage limits are exceeded?
Where is the data stored? It’s important to note that while many cloud services have local branding, the cloud storage is provided by US companies such as Microsoft and Amazon. This could mean the data is stored in the US. The US government can legally access EU and UK data that is kept in data centres in the US. To work around this many of the large cloud providers are building data centres in Europe. However, US lawmakers are manoeuvring to put legal requirements in place to access this data too if the company is US-registered such as Microsoft or Amazon. These companies have a duty to com-ply with GDPR but US legal aims conflict with this requirement.
4
White Paper Network attached storage – GDPR compliance
In late 2017, the US Federal Communications Com-mission voted to end the 2015 Open Internet Order, which protected net neutrality in the US. Net neu-trality is a set of principles and rules that say inter-net service providers (ISPs) must treat all data fairly without blocking or ‘throttling’ certain data streams. If a cloud data storage service is based in the US, it is possible that at some point the service is slowed down as ISPs give preference to their own services.
Data backup options – on-premise network attached storage
On-premise network attached storage (NAS) is the simplest, most reliable and cost-effective option for aca-demic institutions to comply with GDPR.Because it is based on-premise the potential service de-livery, cost and legal issues that complicate cloud-based storage are not relevant.
Buffalo NAS TeraStation storage is widely recognised as the most secure on the market. Its many features automatically ensure GDPR compliance across a range of data access, back-up and restore processes:
Backup and restore – back-ups are automated, carried out on a daily basis. In the event of data loss, data can be quickly retrieved and importantly it is always the most up-to-date version
Centralised storage so data is not dispersed
on different computers. This allows storage and retrieval of data from a centralised location for authorised network users. It’s like having a private cloud in the faculty.
When data is accessed from the NAS, for instance by a mobile device or desktop computer, it is protected to ensure its security. This means it cannot be read by third parties or hackers as it travels across networks.
Data cannot be accessed or destroyed by hackers. The operating system is locked down which means security vulnerabilities can’t be created which might be exploited by hackers.
Cannot be infected with viruses or ransomware because it is a closed system.
An antivirus option, updated frequently with the latest virus signatures and designed to detect zero-day threats, keeps all files free of malware. This protects data that travels between the computers, tablets and smartphones from malware. Also includes a firewall.
Includes AES hardware encryption to protect data on the drives should somebody remove the drives without authorisation.
Physically protected from theft and/or loss with a Kensington lock and hard drives that can only be accessed with a key.
5
www.buffalo-technology.com
White Paper Network attached storage – GDPR compliance
Benefits beyond GDPR
Virtual learning Virtual learning is becoming increasingly important for academic institutions, enabling both students and staff to access and work on course materials from locations beyond the institution, such as home.
Having a NAS device supports this and enables aca-demic institutions to create and host a virtual learning environment for online classes and distance teaching and learning whilst also enabling information exchange between students and staff by providing a secure shared platform that can be accessed from any location.
Buffalo supports your academic institution
Buffalo provides first-class service to all its educational customers including first class support for GDPR com-pliance:
Risk evaluation such as exploring potential for accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
Risk mitigation measures appropriate to risk evaluation
Dovetailing all actions to meet GDPR compliance needs
Security is built into Buffalo TeraStation™
Buffalo NAS TeraStation™ models are the securest on the market:
Third party applications cannot be installed without approval and permission from Buffalo’s engineering team
Local set up and management of the TeraStation with passwords strengthens the level of security and protection of data
Data is encrypted to ensure there is no unauthorised disclosure or access
Tomita-San, Marketing and Business Plan Director, Buffalo Europe, says: “ Customers always come first at Buffalo. We provide them with high quality products together with advice and invaluable security features that meet their GDPR compliance requirements.”
