The General Data Protection Regulation (GDPR) turned three on May 25, 2018. Since it became law, it has leveled 661 fines totaling more than €292 million. To its credit, the GDPR has been equitable in its fault-finding. From Google, Amazon, H&M, and Marriott to local municipalities, SMBs, and private individuals – the keen eye of the GDPR is on all sizes and types of companies. With its comprehensive articles that impact both Data Processors and Data Controllers, organizations can find themselves pulled up for being complicit in the violation because of an errant employee, vendor, or partner. In this article, we analyze the significant impact of GDPR on backup; analyzing five areas of GDPR compliance and highlighting backup must-haves.
Talk with Our Director
of Compliance
The Impact of GDPR on Backup: 5 Areas of Compliance
- Regular Backup and Quick Recovery is a Must – Article 32
- Verify That Your Backup is Secure – Article 25
- Backups Must Be Fully Encrypted – Article 32
- Check The Data Center Location – Articles 45-47
- Ease and Completeness of Deletion – Article 17
#1 Regular Backup, Quick Recovery – Security of Processing: Article 32
Although a lot of people link GDPR with data privacy requirements and the right to be forgotten, processing and transfer of data are other key requirements of GDPR.
Article 32 says that whoever is responsible for the data must be able to “restore and access the personal data in a timely manner in the event of a physical or technical incident”.
This article in effect mandates reliable backup that holds a recent copy of your data. Furthermore, you need to be able to quickly restore data from the backup to recover from data loss at the earliest.
#2 Verify That Your Backup is Secure – Security of Processing: Article 32 and Data Protection by Design and by Default – Article 25
Article 32 says that measures have to be put in place to regularly test, assess and evaluate the security of processing. Similarly, Article 25 insists that data controllers and processors have “appropriate technical and organizational measures to meet data protection and data privacy principles”. Your backup provider is your data’s processor and needs to demonstrate “the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services”. Note, that as the backup ven access your customer data, the onus is on you to ensure that the processes are GDPR compliant. Verify your backup provider’s application security and compliance credentials. Inspect workflows that involve data collection, processing, and storage.
#3 Backups Must Be Fully Encrypted – Security of Processing: Article 32
Further, Article 32 mandates “the pseudonymisation and encryption of personal data”. It emphasizes the secure processing of data to ensure a level of security appropriate to the risk. Thus recommending techniques such as encryption and regular testing of your backups. Your backup needs to be held and processed securely and data encrypted at-rest and in-transit. Appropriate encryption key management needs to be in place.
#4 Check The Data Center Location – Secure Data Transfer: Articles 45-47
Articles 45-47 talk about data sovereignty and “transfer of personal data to third countries”. This GDPR article impacts where your backups are stored. Data is under the jurisdiction of the country in which it is collected or processed and must remain within its borders. GDPR lays down rules about when and how personal data can be transferred to a third country. It requires that all data collected on citizens must be either stored in the EU, so it is subject to European privacy laws, or within a country that has “similar levels of protection”. Check on the data center location with your backup provider.
#5 Ease and Completeness of Deletion – Right to Erasure or the Right to be Forgotten: Article 17
Article 17, the Right to Erasure or the Right to be Forgotten emphasizes the need to minimize storage of customer data. Make sure that data collected in backups has a retention period that you control. To be able to delete data at will, you would need to search and locate data easily. Data backups need to be fully indexed with search filters that allow you to easily locate the data you are looking for with any keyword. When required, data should be erased completely, including the data stored by backups.
Ensure GDPR Compliance With GDPR Compliant Backup
CloudAlly offers a powerful yet easy-to-use solution for the backup of SaaS applications. Once the backup task is created, you can rest easy knowing that a daily backup is automated and if an unexpected issue is detected, you will receive an alert. Restoring the data is a simple 4-click operation.
CloudAlly encrypts all customer’s data both in-transit and at-rest. All data is stored in industry-leading Amazon S3 storage and encrypted using advanced AES-256 bit encryption algorithms. Transmitted data is encrypted and secured using SSL (HTTPS) enabled servers. This reduces the chance and impact of a data breach. Furthermore, CloudAlly Backup is stringently secure and meets the GDPR compliance standards. Take a look at our security credentials.
CloudAlly allows the customer to select one of six datacenters for their backup spanning Canada, Germany, Ireland, Sydney, U.S., and the U.K. Customer data cannot be moved between data centers without the express written permission of the customer.
Don’t risk non-compliance with GDPR. Choose secure cloud backup.
