On May 25th 2018 the General Data Protection Regulation (GDPR) went into application. It’s a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). Given that the parent company of Pro Backup – B4B IT – is located in Belgium, we need to be compliant with this legislation.
In this blog post we will first address 3 key implications of GDPR on your cloud backups.
Backup and disaster recovery is essential under GDPR
The following comes directly from Article 32 of the GDPR act: Security of Processing
- (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
From this, we can see that organisations are held responsible for their ability to recover lost personal data that they hold in a timely manner. In order to remain compliant, they must have the necessary backup and disaster recovery strategies in place and actively take the time to regularly test the integrity and the effectiveness of the solution.
Otherwise, your organisation could face heavy fines for failing to protect the data that you hold and monitor. In recent years we are now seeing more and more organisations falling victim to sophisticated ransomware and cyber attacks because they do not have the necessary backup and disaster recovery solutions in place. We therefore recommend you to read up on how to protect your company against ransomware.
Data backups need to be regular
GDPR requires the data to be available at all times to the subject; therefore you need to be ensuring that the data is backed up to reflect the live data.
You therefore need to ask yourself how often you or your provider backup your data. If your backups are not automated then you will have to consider increasing the number of times your backups are conducted to keep in line with your live data.
Your third-party providers need to be compliant
To decide to outsource your backup and disaster recovery solution is a good first step, but you are only part of the way to becoming compliant. Now you need to ensure that your chosen provider is also following GDPR compliance.
Since they will be handling, managing, and backing up all your data, they fall under the title of ‘data processor’ and therefore must follow the same data handling and protection rules as you do.
At Pro Backup we work together with Dirk De Bot, a Belgian Data privacy specialist, to ensure that we are GDPR compliant. You can find more info on this on the footer of our website.