Pro Backup blog

Since the introduction of GDPR, backups have been a hotly debated topic. Many organizations tried to figure out what is required of their GDPR and backup strategy to ensure compliance.

Previously we addressed some of the key implications of GDPR on your cloud backups. In this blog post we will address 2 issues that are at play with backups and the right to be forgotten.

Does a deletion request include removing data from backups?

GDPR allows an EU citizen to ask an organization to remove any record of personal data.

In the last year, several EU supervising authorities have released recommendations on how to address this issue of GDPR and backup. The Danish authority, the Data Inspectorate, states deletion of record data from backups is mandatory “if this is technically possible.” holds that record data does not need to be deleted from a backup.

Additionally, according to a Quantum blog, the French National Commission on Informatics and Liberty (CNIL) said “organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time.” We recommend our Pro Backup clients to communicate this as clearly as possible to their customers. Additionally they should also clearly specify the retention time in your communication with the data subject.

What if a deleted record is restored through an old backup?

The second issue around GDPR and backup is that, should an organization delete a record and then recover from an older backup (containing the now-deleted record), the deleted record will be reanimated and put back into production, making the organization noncompliant.

Therefore we advise our clients to maintain an index of requested deletes – using non-identifiable markers, such as a database row number rather than personal detail – that correspond to a given backup’s retention time. This way, should recovery require the use of an older backup containing now-deleted records, the organization can re-delete the records again.

‍

Introduction

On May 25th 2018 the General Data Protection Regulation (GDPR) went into application. It’s a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). Given that the parent company of Pro Backup – B4B IT – is located in Belgium, we need to be compliant with this legislation.

In this blog post we will first address 3 key implications of GDPR on your cloud backups.

Backup and disaster recovery is essential under GDPR

The following comes directly from Article 32 of the GDPR act: Security of Processing

• (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

From this, we can see that organisations are held responsible for their ability to recover lost personal data that they hold in a timely manner. In order to remain compliant, they must have the necessary backup and disaster recovery strategies in place and actively take the time to regularly test the integrity and the effectiveness of the solution.

Otherwise, your organisation could face heavy fines for failing to protect the data that you hold and monitor. In recent years we are now seeing more and more organisations falling victim to sophisticated ransomware and cyber attacks because they do not have the necessary backup and disaster recovery solutions in place. We therefore recommend you to read up on how to protect your company against ransomware.

Data backups need to be regular

GDPR requires the data to be available at all times to the subject; therefore you need to be ensuring that the data is backed up to reflect the live data.

You therefore need to ask yourself how often you or your provider backup your data. If your backups are not automated then you will have to consider increasing the number of times your backups are conducted to keep in line with your live data.

Your third-party providers need to be compliant

To decide to outsource your backup and disaster recovery solution is a good first step, but you are only part of the way to becoming compliant. Now you need to ensure that your chosen provider is also following GDPR compliance.

Since they will be handling, managing, and backing up all your data, they fall under the title of ‘data processor’ and therefore must follow the same data handling and protection rules as you do.

At Pro Backup we work together with Dirk De Bot, a Belgian Data privacy specialist, to ensure that we are GDPR compliant. You can find more info on this on the footer of our website.

‍