It’s been over a year since the General Data Regulation Protection Regulation (GDPR) came into place. Businesses had many years to prepare for its implementation, which gave citizens of European Union (EU) countries greater control over how their data is used and stored.
Despite that, over 100 fines have been dished out, including a huge $57 million fine to the search giant Google. If anyone thought that the EU was going to play nice, they soon found otherwise.
In the time since its launch, businesses have learnt some lessons in how they should be handling their backup strategy in the face of GDPR rules. While many have got it figured out for their production data, it’s a different kettle of fish when it comes to ensuring compliance for backup.
A component of GDPR is a company’s ability to respond to someone’s data requests within a reasonable amount of time. The National Commission on Informatics and Liberty (CNIL), the French supervising authority, define that as being around a month’s time.
Does that seem like ample time to receive the request, process it, and deliver the result? How about if your company was under a cyberattack at the time of the request? You might be struggling to continue with normal operations, let alone handle user requests like these.
Ransomware attacks on local and state governments are increasing. The city of Baltimore found recently that it took weeks for them to get back up to speed after a ransomware attack. For them, a month would not have seemed long enough to comply with GDPR.
Your backups need to capture personal data and that includes the ability to pull records from these easily and quickly when needed. Of course, your backup system also needs to deal with the security and privacy complications that come with protecting systems handling personal data.
As part of GDPR, anyone in the EU has the right to ask a company to remove all their data. You might be able to do that from your live data. But can you do it from your backup too?
The Data Inspectorate, the Danish authority, says that deleting the user data from backups is mandatory as long as it’s technically possible. CNIL, on the other hand, say this isn’t necessary, though notes that organisations will need to clearly explain to the user that, although their personal data has been removed from production systems, it could still remain on backup. This needs to be communicated in layman’s terms and a retention time (i.e. the expiration date of holding that data) needs to be given.
Another issue comes from when user data has been deleted from production, but then the company goes on to restore from a backup that includes that data. The Data Inspectorate says that businesses need to hold a non-identifiable index of delete requests and tie this to the backup’s retention time. This will ensure that, even if an older backup is used that contains recently removed data, a re-deletion process can take place.
At the end of the day, you need to ensure that your business is fully GDPR compliant. If you don’t, you could face huge fines. The cost of protecting yourself now is going to be far smaller than the financial and reputation cost of not doing so.
How Has GDPR Impacted Backup in the Last Year?
No comments yet. Sign in to add the first!