Table of Contents
The General Data Protection Regulation (GDPR) turned three on May 25, 2018. Since it became law, it has leveled 661 fines totaling more than €292 million. To its credit, the GDPR has been equitable in its fault-finding. From Google, Amazon, H&M, and Marriott to local municipalities, SMBs, and private individuals – the keen eye of the GDPR is on all sizes and types of companies. With its comprehensive articles that impact both Data Processors and Data Controllers, organizations can find themselves pulled up for being complicit in the violation because of an errant employee, vendor, or partner. In this article, we analyze the significant impact of GDPR on backup; analyzing five areas of GDPR compliance and highlighting backup must-haves.
Talk with Our Director
of Compliance
The Impact of GDPR on Backup: 5 Areas of Compliance
- Regular Backup and Quick Recovery is a Must – Article 32
- Verify That Your Backup is Secure – Article 25
- Backups Must Be Fully Encrypted – Article 32
- Check The Data Center Location – Articles 45-47
- Ease and Completeness of Deletion – Article 17
#1 Regular Backup, Quick Recovery – Security of Processing: Article 32
Although a lot of people link GDPR with data privacy requirements and the right to be forgotten, processing and transfer of data are other key requirements of GDPR.
Article 32 says that whoever is responsible for the data must be able to “restore and access the personal data in a timely manner in the event of a physical or technical incident”.
This article in effect mandates reliable backup that holds a recent copy of your data. Furthermore, you need to be able to quickly restore data from the backup to recover from data loss at the earliest.
#2 Verify That Your Backup is Secure – Security of Processing: Article 32 and Data Protection by Design and by Default – Article 25
Article 32 says that measures have to be put in place to regularly test, assess and evaluate the security of processing. Similarly, Article 25 insists that data controllers and processors have “appropriate technical and organizational measures to meet data protection and data privacy principles”. Your backup provider is your data’s processor and needs to demonstrate “the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services”. Note, that as the backup ven access your customer data, the onus is on you to ensure that the processes are GDPR compliant. Verify your backup provider’s application security and compliance credentials. Inspect workflows that involve data collection, processing, and storage.
#3 Backups Must Be Fully Encrypted – Security of Processing: Article 32
Further, Article 32 mandates “the pseudonymisation and encryption of personal data”. It emphasizes the secure processing of data to ensure a level of security appropriate to the risk. Thus recommending techniques such as encryption and regular testing of your backups. Your backup needs to be held and processed securely and data encrypted at-rest and in-transit. Appropriate encryption key management needs to be in place.