European Union (EU) General Data Protection Regulation (GDPR) compliance involves personal data and its protection (article 4, section 1) by any organization that conducts business with personal data of data subjects, in or from the 28 EU member states. GDPR requirements include compliance, data protection, and personal data, including governance, accounting, privacy, data breach procedures, cross border data flow, and other responsibilities across different stakeholders within the organization.

More importantly, compliance requirements start with defined processing activities on personal data, which can then require GDPR duties like obtaining consent and restricting data to its permitted use. Organizations cannot achieve compliance by just using specific products or solutions, rather the usual compliance challenge of organizational change across people, policy, and processes is needed.

From an IT point of view, the overall GDPR compliance requirements cover the entire solution stack including applications, middleware, platforms, and infrastructure, especially if any of these are directly or indirectly dealing with personal data. Therefore, there is not going to be a “one size fits all” GDPR solution for businesses. The role of the IT solutions is to enforce the correct handling of personal data per identified processes by the establishment. Each element of the solution stack need to address the objectives that are appropriate to the data it handles.

Typically, personal data resides either in form of structured data (such as databases) or unstructured data (such as files, text, documents, and so on). This paper specifically deals with unstructured data and storage systems that are used to host unstructured data. For the overall approach, the IBM Pathways for GDPR readiness white paper is a good starting point for businesses to prepare for the implementation of GDPR.

For unstructured data storage in particular, some key attributes enable the overall solution to support compliance with GDPR. Because personal data subject to GDPR is commonly stored in an unstructured data format, a scale-out file system like IBM® Spectrum Scale provides essential functions to support GDPR requirements. The following sections highlight some of the key compliance requirements and explain how IBM Spectrum™ Scale helps to address these concerns:

IBM Spectrum Scale provides support for file and object encryption at rest and in transit over the supported access protocols. Data at-rest encryption is managed by using encryption keys and encryption policies, and irreversible delete through “crypto-shredding.” This technique involves destruction of the key required to decrypt data. IBM Spectrum Scale encryption software modules to secure data-at-rest are certified according to the Federal Information Processing Standard (FIPS) 140 Publication Series.

IBM Spectrum Scale supports authentication with industry standard directory servers over protocols and provides a rich set of ACLs across all its access interfaces to control authorization. These authorization capabilities also help meet certain requirements of Article 25 (Data protection by design and by default). Applications and users can use them to ensure that the personal data is restricted according to the required norms. IBM Spectrum Scale 5.0, introduced in November 2017, has auditing capability to monitor file access to a defined set of data. The resulting audit logs are stored in an immutable file set.

IBM Spectrum Scale has comprehensive information lifecycle management (ILM) policies to manage the lifecycle of sets of data. Different data sets can be assigned separate rules and policies, allowing separate handling of personal and non-personal data. This technique includes file encryption and secure deletion, transparent movement of files to different storage devices including tape and cloud object storage, backup of files, monitoring and logging of file operations, and retaining files in an immutable manner over a specified retention period. Hence, IBM Spectrum Scale can be used to store all kinds of unstructured data and enforce the most appropriate storage management policies for each category, and ensure high availability of access to the data to support GDPR compliance.

The following resources are available for additional information:

This guide was produced by a team of specialists from around the world working with the International Technical Support Organization (ITSO).

Sandeep R. Patil is a Senior Technical Staff Member who works as a Storage Architect with IBM System Labs. He has over 15 years of product architecture and design experience. Sandeep is an IBM Master Inventor, an IBM developerWorks® Master Author, and a member of the IBM Academy of Technology. Sandeep holds a Bachelor of Engineering (Computer Science) degree from the University of Pune, India.

Clodoaldo Barrera is a Distinguished Engineer and the Chief Technical Strategist for IBM Systems Storage in San Jose California. His responsibilities include development strategy for IBM Flash disk and tape subsystems, SAN, NAS, Object Storage, and software for software-defined storage and storage cloud solutions. Mr. Barrera holds a BS in Mathematics and an MS in Electrical Engineering from Stanford University, and is a Senior Member of the IEEE Computer Society.

Carl Zetie is the offering manager for Spectrum Scale. He is an IT veteran whose roles have included development, pre- and post sales technical support, marketing, and strategy. After spending most of his career working with enterprise software development and release tools, he moved into storage software where he now makes his home.

Felipe Knop is a Senior Technical Staff Member working in software development with the IBM Spectrum Scale team, where he is the File System scrum core architect and also focuses on cluster management and file encryption. In addition, he was the security architect and the technical release lead. He has significant experience in the architecture and development of complex distributed subsystems in IBM Spectrum Scale and previously in Reliable Scalable Cluster Technology (RSCT). He holds a Ph.D. degree in computer science from Purdue University.

Nils Haustein is a Senior Technical Staff Member at IBM Systems group responsible for design and implementation of backup, archiving, file, and object storage solutions in EMEA. He co-authored the book Storage Networks explained. As a leading IBM Master Inventor, he has created more than 160 patents for IBM and is a respected mentor for the technical community worldwide.

Thanks to the following people for their contributions to this project:

Larry Coyne
International Technical Support Organization, Tucson Center

Here’s an opportunity to spotlight your skills, grow your career, and become a published author—all at the same time! Join an ITSO residency project and help write a book in your area of expertise, while honing your experience using leading-edge technologies. Your efforts will help to increase product acceptance and customer satisfaction, as you expand your network of technical contacts and relationships. Residencies run from two to six weeks in length, and you can participate either in person or as a remote resident working from your home base.

Find out more about the residency program, browse the residency index, and apply online at: