In this article, we look specifically at Backup and DR compliance with regards the upcoming implementation of GDPR in May 2018. This doesn’t address GDPR as a whole, if you want to know more on GDPR the entire regulation is here, or an overview here.
On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into effect. With it comes changes to data protection law that anyone selling or monitoring data within the EU and holding customer data must comply with. GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy. Even after Brexit this regulation will still be part of UK law. The UK were one of the main drivers for the regulation and have already confirmed that Brexit will not affect implementation of GDPR in the UK.
Non-compliance with GDPR could lead to fines of 4% of turnover or €20million, whichever is greater.
The two main areas here are ensuring compliance with “The right to be forgotten” and “Data Availability”. The following is our view on GDPR and its implications for Backup and DR. As an organisation you will need to assess how and what you need to do to meet the regulation.
This could be quite a headache when considering how your data is backed up and the technologies used to do it. If a person asks for the data you hold on them to be deleted and there are no compliance or legislative reasons not to then you need to comply with their request. Depending on how your Backup solution works it could be a major problem ensuring the data is deleted, if you use tape or image type backups how do you identify which tapes/images hold the data and then how do you delete just that individual’s data? You cannot just do nothing as you need to prove you have thought about this and put a procedure in place. Some backup solutions can set a time-based Data Retention Rule (delete rule). Once the data has been deleted from your live environment then after ‘x’ days the data is also deleted from your backups. This ensures the ability to restore data which has been deleted by accident or maliciously but also means that data which has been intentionally deleted can be removed from your backups. These Data Retention Rules can be a powerful tool for compliance. If as an organisation you document and apply an appropriate Data Retention Rule as part of your “Right to be forgotten Procedure” the data will also be deleted from your Backups after ‘x’ days. This could be seen as complying with the person’s request to be forgotten and in our view the common sense approach to ensuring regulation compliance and ensuring data protection. The caveat to this is if the data is recovered via the backups prior to the Data Retention Rule coming into effect due to data loss elsewhere or DR then the persons data would need to be deleted immediately.
Security of Processing covers everything from the Ongoing confidentiality, integrity, Certification, Recoverability of data due to physical or technical incident, availability and resilience of processing systems and services. This includes securing the data where ever it may reside.
When it comes to Backup and DR you need to ensure that these are also compliant to the legislation and part of Article 32 covers this. Which users have access to restore data, how is the data protected when being sent to your offsite backup and DR solution, (and you need a DR solution regardless), how is it stored and protected when at rest? Backup software user access controls and data encryption are a must. If you use a Service Provider for offsite Backup and DR then are they compliant? They should at least be ISO 27001 compliant as many of the ISO27001 policies are in line with GDPR policies around process e.g. security, staff training, auditing and reviews of policies. If you are ISO27001 compliant but your DR provider isn’t then your ISO27001 may be null and void. Prior to May 2018 you should assess your Backup and DR provider and ensure they meet the compliance criteria.
When considering specifically section 1b & 1c, which covers in part data availability for restores and DR do you meet your requirements, do you at least follow the tried and tested 321 Backup rule? You need to ensure if a file, database or email is deleted for whatever reason you can recover it if required, you also need to ensure that your whole processing systems and services can be recovered in a timely manner, this includes onsite, cloud based systems or a hybrid systems. For a basic example do you use Dropbox, Microsoft SharePoint or similar? What happens if Dropbox becomes unavailable for a long period of time or forever, the latter is unlikely but do you have a separate backup and recovery method? Dropbox is just a small example, you need to make sure you can recover in a timely fashion your “Processing Systems and Services” this could be a single file or database through to multiple servers and systems on which your business runs.
Lastly comes the regular testing, assessing and evaluation against the security of the Processing Systems and Services Section 1d, do you do this already? For Backup and DR this means test restores of data and complete restores of systems both onsite and offsite. This is where a Service Provider may benefit, do you have the budget, time or staff to maintain an offsite DR solution, leveraging Cloud or Service Providers platform for this is sometimes the best option.
We specialise in Backup and Disaster recovery and our solutions are designed to your needs. At FCS we will listen to your requirements and offer a solution which meets them.