When it comes to data protection, GDPR has changed the game. It affects Disaster Recovery (DR) alongside all your other systems.
The General Data Protection Regulation (GDPR) came into force in May 2018. It puts strict controls on how companies process personal data. In the rush to comply, many may have forgotten the implications in a particular area: disaster recovery systems.
In GDPR, an individual whose personal data an organisation holds is known as a ‘data subject’, and they have many new rights under the Regulation. To remain compliant, companies should check the ability of their DR solution to support the following clauses:
Protecting against data loss
Perhaps the most important clause relating to DR simply demands that you have it. Article 5(1)(e) says that companies must ensure “protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
If ransomware or some other disaster destroyed your sensitive data, you’d be in violation. So backing it up is essential.
Under GDPR Article 15.1, a company must give a data subject any personal data that it has stored about them. It cannot use its inability to recover data after a disaster as an excuse. Article 32.1(c) of the Regulation mandates “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.
This means all companies need a disaster recovery plan that works in real life rather than merely on paper, so adequate testing is important. In fact, Article 32.1(d) demands “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Another important aspect of disaster recovery under GDPR is the ability to select appropriate data for backup and recovery on a per-file basis. Some data covered by GDPR, such as marketing information, may not be considered a mission-critical workload, yet it may need recovering quickly if someone asks for it. A DR plan should enable a company to choose different categories of information to be backed up in different places and restored individually if necessary.
This also applies to data erasure. Article 17(1) says that the owner of personal data has "the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay."
If their personal data is backed up somewhere, this should be deleted, too. It is far easier to delete particular backup files with user information using modern cloud-based disaster recovery systems than it is to do it on a tape archive.
In any case, companies should beware what they store as part of a long-term archive; in this context, individually-identifiable information should not be stored at all. Article 5(1)(e) says that data shall be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” When personal data is archived, it should be done so in pseudo-anonymous form, so that a data thief could not derive sensitive personal information from it.
Finally, GDPR Article 25(1) states that a controller will "integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects." It’s talking about measures like pseudo-anonymisation and minimisation of stored data here, but is also likely to apply to data backups. If your backed-up data is not secured using tools such as encryption, and that data is compromised, the company storing it will be liable.
On that note, it is important to understand the liability for partners outsourcing DR services. Under GDPR, not only are controllers (the companies making the backups) liable for the confidentiality, integrity and availability of their data, but so are the companies storing it on their behalf. If they mishandle it, then both of you will be liable under the regulations, so asking them whether they are GDPR compliant is a must.
So if you haven’t reviewed the compliance of your DR solution from a GDPR perspective, now is the time. This strict set of regulations is all-encompassing, affecting every part of your data processing workflow. Backing up and restoring that data is no exception.
Want to know more about how DRaaS compares to traditional DR solutions? Read our guide:
4 reasons to reconsider your disaster recovery plan