Industry leaders love to talk to other industry leaders when it comes to the General Data Protection Regulation (GDPR), but they should talk to their local authority instead.
How many times have I heard this catastrophic scenario that predicts the end for tape (again)? It’s Monday, and your manager asks you to delete someone’s personal data from your backup copies because the data protection officer received an email asking the company to follow the “right to be forgotten.” So, you grab a coffee and start figuring out where to find the data—but how can you delete a single file in a tape? You can’t. You’ll need to wipe the entire tape. Should you restore everything? Delete the personal information and backup the remaining data again? Sounds complex. Now imagine that this happens many times per day because of this new regulation—the GDPR. Kind of scary, right?
It seems like we’re living in a world where backup software doesn’t use catalogues to track what data is stored where—a world where you need NSA tools to just make a file inaccessible to the public or internal users.
But let’s imagine another scenario. It’s Sunday morning and you find that part of your systems have been encrypted by a ransomware attack. You decide to use your backups…until you discover the criminals encrypted your backups first. Now imagine that you have replicated your backups over the weekend, so your DR copies are also encrypted. No plan B, no plan C. Last but not least, it’s June 2018, and you need to comply with the GDPR—and you just failed to protect someone’s personal data.
So, is tape compatible with the GDPR?
Of course, tape is the best solution to protect data against ransomware attacks. Not only because, as far as we know, there is no ransomware designed to mount virtual drives and access tape, but also because, unless the criminals have physical access to your media (don’t forget to encrypt your backups), it’s impossible to reach and encrypt offline media.
These days, most companies are using disk-based backup (often with deduplication) as their plan B if a problem arises. But tape can be your plan C, protecting your data against online viruses while still being compliant with the GDPR.
But what about the “right to be forgotten?”
Here is where industry leaders should contact their local authority. At least this is what we have done. We requested help from the French data protection authority (CNIL) to better understand if tape can be an issue or an advantage for GDPR compliance.
The answer is clear. You need to protect your data against ransomware, and it’s OK to keep data on a backup as long as you don’t process it again, you protect it through encryption, and you delete it once you don’t need it (when it expires).
There is no problem at all with using tape, and the catastrophic scenario described earlier doesn’t have to happen if you use tape as a secondary, offline copy. You don’t need to delete a specific file if someone asks for the right to be forgotten. It’s OK to inform the data subject (the EU citizen) that you have an encrypted copy on tape to protect his or her personal information against ransomware, and that you’ll expire and delete this data in a reasonable timeframe (you have one month to acknowledge a data subject request).
Many industry leaders want you to go tapeless, often just because they don’t have tape in their portfolio or because they want to sell an alternative (like the cloud). But tape has an important role to play in your journey to protect EU citizens’ personal information and protect your production data against ransomware. And the good news is most backup software vendors know how to handle tape. So, as long as you use tape as your last line of defense, following the 3-2-1 data protection rule, it should be easy to be compliant and safe with tape.