[Note: The author of this article is not a lawyer and this article should not be considered legal advice. Please consult a privacy specialist.]\nThe basic news\nThe GDPR covers all personal data your company stores on data subjects in the EU \u2013\u00a0whether or not your company has nexus in the EU. Personal data is defined as data that can be used to identify a person.\u00a0 It\u2019s similar to the concept of personally identifiable information (PII) that we have in the US, but it is broader. PII typically includes actual identifying elements like your name, social security number, and birthday, focusing mainly on the data required to fake your identity with a lender. Personal data includes what the US calls PII, plus any data that can be used to identify you in any way, which includes things as basic as an email address, online personality (e.g. twitter handle), or even the IP address where you transmitted a message from.\nA data subject is the \u201cperson\u201d to which the personal data applies. To be subject to the GPDR, the subject must be an EU citizen residing in the EU at the time the data was created. The location of the company or its headquarters is irrelevant.\u00a0\nThere are several aspects of the GDPR, including the requirement of companies to act responsibly in gathering and storing personal data, including making sure that they collect only data necessary to do the task at hand.\u00a0 For example, if you don\u2019t need to store the data subject\u2019s IP address, don\u2019t store it. You must also privacy into account in all aspects of system design.\u00a0 The GDPR calls this Privacy by Design.\u00a0 Some companies will be required to appoint a data protection officer, or DPO. (In this context, data protection is more concerned about privacy than backup and recovery.)\nThe two requirements that data protection (i.e. backup, recovery, & archive) people are likely to be concerned with is the requirement to (upon request) supply a data subject with all their personal data, and to delete all of it if they ask you to.\u00a0 (You may keep some data if you can demonstrate a legitimate business need for it.)\u00a0 The concern here is that the GDPR covers all personal data your company has on a subject, including any data in the backup or archive systems. (More on that later.)\nThe good news\nThe general opinion about the GDPR seems to be that it was written with companies like Google and Facebook in mind \u2013\u00a0companies that store a lot of personal data on people that are not employers, partners, or customers.\u00a0 (Remember, unless you are advertising on Facebook, you are not its customer; you are the product. The same is true on Google unless you\u2019re advertising on Google or using G-Suite; Gmail doesn\u2019t count.)\nAs of this writing, the news about the harvest and misuse of Facebook data by Cambridge Analytica is at the top of many news feeds. This is exactly what the GDPR was written for.\u00a0 People that want to #deletefacebook now have a regulation that says they can tell Facebook to delete all history of their existence in Facebook, and Facebook will have to comply.\u00a0 Not complying will cost them even more dearly than this fiasco has already cost them.\nThe other good news is the following. Although the EU has been preparing for the GDPR for the last several years, a lot of companies don\u2019t seem quite ready for it to go into effect in May. In addition, a lot of vendors aren\u2019t sure how they\u2019re going to help their customers comply with the GDPR.\u00a0 So, if you\u2019re not ready, you\u2019re probably not alone \u2013 especially if you live in the US. US companies seem to just now being waking up to the realization they need to comply with the GDPR.\nThere are also provisions in the GDPR that give some hope.\u00a0 One provision talks about legitimate interests for personal data.\u00a0 So, if you can demonstrate a legitimate reason for a given set of data, it may be exempt from some of the GDPR requirements, like discovery and deletion. For example, a law enforcement organization certainly cannot be required to present data from an ongoing investigation that might compromise said investigation, and it cannot be required to delete all personal data on a subject just because he or she says so.\nThere is also a provision that talks about if things are \u201ctechnically possible.\u201d\u00a0 The courts may allow a defense that says, \u201cbased on the products and services we use, it is not technically possible to satisfy that request at this time.\u201d\nThe not-so-good news\nThe key phrase in the last sentence in the previous paragraph is may. There is no case law yet.\u00a0 No one has any idea yet how the courts are going to interpret this new regulation.\u00a0 What are they going to consider a legitimate reason for keeping data?\u00a0 Investigation records like those mentioned previously are an easy one. What about purchase history of an existing customer?\u00a0 What about data related to those purchases?\u00a0 Do you really need to store the IP address a customer was using when they made a purchase?\u00a0 No one knows how the courts are going to rule on this yet.\nFor now, this can be interpreted as \u201csemi-good\u201d news -- if you\u2019re not one of the types of companies that people believe are the big targets.\u00a0 It\u2019s a good chance the people at Google, Facebook, and the like are having many meetings about how to comply with these requirements from the beginning. So, this \u201cnot-so-good news\u201d should not be taken to mean that you can sit on your haunches and wait for some case law before deciding what to do. If you haven\u2019t already done so, now is the time to start talking to your vendors about how you will comply with some of the more challenging aspects of this regulation.\nThere are a lot of companies advertising \u201cGDPR compliant\u201d products, or product that are \u201cGDPR certified.\u201d\u00a0 At this point there is no such thing as being GDPR certified.\u00a0 And no product is going to make you GDPR compliant. Complying with GDPR is as much about process and procedure as it is about the products you use. In fact, some would say even more so.\nThe scary news\nOne big question for data protection professionals is whether or not backups and archives are included when it says you have to delete a given data subject\u2019s personal data.\u00a0 If they are included, what\u2019s going to happen when you say to a data subject that it\u2019s not technically possible to delete a given subject\u2019s data out of the middle of a backup in the middle of a backup tape somewhere?\nAre the courts going to interpret that as non-compliant and stick you with the huge fine of 4% of your annual revenue or 20 million Euros (whichever is greater)? If so, there will be very few companies that will compliant come May 25 because this requirement simply wasn\u2019t built into backup software design. Backups were meant to hold onto everything by design. Asking a backup system to selectively design stuff is like asking the proverbial scorpion to ride on the back of the turtle without stinging it \u2013\u00a0it goes against its very nature.\nIf this is the first time you\u2019re reading about the GDPR, you\u2019ve got some catching up to do.\u00a0 The good news is there is a lot of information available on the official GDPR website.\u00a0 Make sure you\u2019re familiar with everything there before you start reaching out to those who will try to sell you \u201cGDPR compliant\u201d products.