Data protection is no longer just an IT concern, it is now a business imperative. Any business that operates within, or indeed with, European Union citizens must adhere to the stringent requirements of the General Data Protection Regulation with regards to data integrity and data privacy. While many companies have focused on data security for live data, also known as "production" data, backups often remain on the back burner, creating many blind spots for companies with the best of intentions. A cloud backup solution must not only restore data, it must also help you meet the requirements of the GDPR.
Understanding GDPR and Backups
The three key principles of the GDPR - integrity, confidentiality, and accountability - are just as relevant to backups as they are to live data. Indeed, the specific requirements of the GDPR for backups are outlined in Article 32, which requires that you "shall be able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident."
Of course, there is a paradox to be found in the requirements of the GDPR, as you must be able to restore data in a timely manner, while also fulfilling the requirements of the GDPR, which may require you to delete that data.
Identifying and Classifying Personal Data
The first step to an effective solution in regard to backups is to go through a process of identifying data - you must first know what you don't know, after all. In the case of businesses, it is therefore necessary to go through a process of discovery, whereby you must identify the personal data that you have stored within your cloud infrastructure. This means that you must firstly identify PII data, as well as critical business data, and then go through a process of classification, prior to engaging in any kind of backup solution, as not all data must be backed up, and less PII means less liability.
Choosing the Right Cloud Provider
Data sovereignty is a vital component of the GDPR. It is therefore vital that you select a backup solution that provides data residency within a particular region. This means that if you run a business within Europe, for instance, it is desirable that the backups for your data remain within Europe. A solution that has been designed with this market in mind, such as SaaS cloud backup for Office 365 Europe, ensures that data is not inadvertently exported to a region that has lower data protection standards than that of your organization. It is also vital that you examine the data processing agreement with the vendor to ascertain their commitment to data security.
Encryption and Access Controls
Storing data within a cloud infrastructure necessitates a robust security framework. A non-negotiable requirement for data security is that data must be encrypted during transit to the backup server, as well as at rest within the storage facility. Moreover, access to this data must be tightly controlled. Only approved personnel should be allowed to execute a restore operation or examine the contents of the data files. This ensures that your safety net does not become a security vulnerability.
The Right to Erasure Challenge
One of the most difficult aspects of GDPR to comprehend is Article 17, which is also known as the "Right to be Forgotten." If the user requests deletion, does your existing backup strategy support granular deletion? There are many different backup solutions on the market today that are classified as "write once." This means that these solutions are immutable archives.
However, in order to be compliant with GDPR regulations, it is necessary to provide a workflow that addresses user deletion. This may be accomplished by using a log to record all deletions and applying them immediately upon restoration. Alternatively, it may be accomplished by finding a product that supports granular deletion.
Regular Auditing and Testing
As discussed earlier, compliance is not something that should be done once and forgotten. Rather, it is an ongoing process that requires regular and ongoing maintenance. Auditing your logs on a regular basis will ensure that your policies are being implemented correctly and that there is no unauthorized access to your data. Another important aspect that needs to be taken into consideration while ensuring compliance with GDPR regulations is testing your restoration. A backup is not useful if it cannot be restored. Additionally, it is not useful if it cannot be restored in a manner that is compliant with privacy regulations.
Moving Forward with Confidence
Developing a backup strategy that is compliant with GDPR regulations is not an easy task. However, it is definitely worth it. It is not an activity that should be taken lightly. But it is one that will assist your organization in converting your existing backup strategy from a liability to an asset!
