Data Backup Digest

Do-It-Yourself Windows File Recovery Software: A Comparison

results »

Are Your Backups GDPR Compliant?

The General Data Protection Regulation (GDPR) is a European Union mandate that gives individuals greater control over how their data is stored and forces businesses to be more transparent and secure with that data. It came into effect in May 2018.

Data continues to be of growing importance to all businesses. It provides insight and intelligence, especially when more of it is collected. As this happens, the regularity of data breaches seems to increase in parallel. It makes sense that as businesses hold more personal data, they become greater targets from hackers. GDPR aims to enforce strong policies in order to reduce the possibility of personal data abuse.

GDPR unifies the regulatory framework across Europe. Rather than different rules for every country, businesses need to follow the same rules for the entire region. It also forces businesses to review their data processes – for many this will be beneficial, because they can assess whether the data they are keeping is beneficial. Finally, GDPR requires businesses to adhere to a minimum level of data security, through methods like encryption and anonymisation.

This applies to any business that offers goods or services to EU residents, or stores data about them. That means it isn’t only for enterprises with a physical presence in Europe. Those that don’t comply will face a fine of up to 4% of their global annual turnover or €20 million, whichever is the higher amount – and it’s not an empty threat either, since Google have already been slapped with a major fine.

The legalisation allows customers to request access to all the data you hold on them, along with granting them a ‘right to be forgotten’. This means that you must delete all their personal data if requested. This not only means the data you hold on production servers, but from backup too. If you hold your backups in cold storage, that could be a problem.

It’s be ruled that companies don’t have to delete from production and backup at the same time, simply because of the logistical challenges, but the data does still have to be removed within a reasonable timeframe.

Quantum, a rich media workflow company, recommends that you remove personal data within the first month or the request, and then tackle the backups within the second month. They say that you should let the customer know their personal data has been removed from production systems, and that any offline backups are encrypted and will expire after a set amount of time. The transparency is important, as is the follow through.

Make sure that you protect your backups with the same security that you would your production. Tape continues to be a strong choice here because it protects against online viruses, but is still compliant with GDPR providing you have the right physical protection.

Remember to be sensible with your encryption here – don’t blindly encrypt to be GDPR compliant. Any encrypted data can’t be deduplicated, so you’ll end up wasting masses of storage space. It’s best to encrypt at the backup level, not at source.


No comments yet. Sign in to add the first!