GDPR: What to do with conflicting legislation

'GDPR says to delete data after a certain period, while other regulations demand we keep data forever.' An IT leader explains his conundrum

Some IT leaders are facing a tricky question over what to do with their data once the EU's General Data Protection Regulation (GDPR) comes into force in May 2018.

However, there are some experts who advise that the regulation is already in force, and firms need to comply with its provisions immediately, or risk hefty fines.

The GDPR contains provisions which demand that personally identifiable data is deleted after a certain period, yet other regulations in some industries require that same data to be kept in perpetuity.

Speaking at a recent Computing event, Alun Jones, data scientist at Konecranes, said it's important to understand why you collect personally identifiable data, and be prepared to explain it to the authorities.

"But we have cranes that sit above nuclear reactors," added Jones. "The law says we must keep that data for life, so we end up with a conflict between 'legislation A' and 'legislation B', and that's still with our lawyers. If we had someone working on that crane, we need to keep records of him and his work for life, so which set of legislation do we obey?"

Some legal experts advise that this need to delete data also extends to information contained in email databases, which could create another headache for IT leaders.

Matt Cadieux, CIO at Red Bull Racing explained that he's in a more fortunate position, with very little personally identifiable data being held.

"GDPR is not an issue for us. We keep data forever, but it's car data, it's all technical. The employee data we hold is in a SQL database, and we've done an inventory on it and informed our lawyers," said Cadieux.

Matt Fordham, software defined storage leader for IBM UK & Ireland, said that it's important to have the right policies in place to ensure compliance.

"In storage you have to get your house in order, and maintain a policy-driven, secure to the right levels storage solution, whether that means adding to what you have, or replacing it. There are also technologies we can provide to sweep and see what data is held in your environment, then it's about putting the right policies in place," said Fordham.