“According to the recently-published DLA Piper GDPR Data Breach Survey 2020, more than 160,000 data breach notifications have been reported across Europe since the General Data Protection Regulation (GDPR) came into force in May 2018. The survey also found that data protection regulators have imposed €114 million in fines under the GDPR regime for a wide range of GDPR infringements. It is clear therefore that that many businesses are still facing challenges when it comes to meeting and maintaining compliance.
Backup and recovery can play key roles in helping ensure organisations remain compliant with GDPR at all times avoid a breach and the costly fines associated with it. But in today’s increasingly cloud-based environments, how can businesses best manage their data retention policies and control the location and replication of their data in the cloud? Here are some top tips they should follow to help them achieve these goals.
Make use of geo-controlled cloud data
Articles 45-47 of GDPR govern the location and privacy of EU citizens’ user data in the cloud. Organisations should consider cloud solutions that let them choose the geographic region where their cloud data is based and contain data replication within a selected region, such as the EU, unless a different geography is specifically requested.
Make sure you can access automated compliance reporting
Under GDPR, organisations are responsible for how they manage and protect the privacy of EU citizens’ user data (Article 5). Make sure you choose backup, recovery and cloud software solutions that provide robust compliance reporting built into the user interface, including outage impact predictions and comprehensive data recoverability reports that are available in formats that can be shared with leadership or auditors.
Ensure your backup and recovery is ’state-of-the-art’
As part of its commitment to protecting users and their data, GDPR encourages companies to implement backup and recovery that is State of the Art (SOTA, Articles 25 and 32). It is important to seek out solutions that provide feature advanced ransomware protection and machine learning-based predictive analytics.
Put in place data retention policies that are easy to manage
Article 6 of GDPR requires a strategic plan for storing data about EU citizens that includes a mechanism to delete data when the use case completes. It is therefore key to seek out solutions simplifies the process of defining and managing data retention policies for both on-premises back-up and data in the cloud.
Implement intuitive search and delete
One of the most talked about articles of GDPR is Article 17, Right to be Forgotten. In order to address this, it is important to ensure your chosen backup and recovery tools include intuitive search functionality that enable your administrators to find specific files. Administrators can then choose to delete data as needed, though it should be noted that, depending on the data source, deletion may require erasing a block of data and administrators should also be aware of how other compliance regulations might be impacted.
Instigate role-based access control
As another way of controlling the privacy of EU citizens’ data, Article 23 of GDPR mandates that organisations restrict access to personal data whenever possible. Role-based access control can be instrumental here in helping administrators meet this requirement by letting them manage and restrict data access levels within their team.
Provide secure encryption
GDPR Article 32 mandates that all data is securely processed and stored. With the latest high-quality backup solutions, data can be encrypted in-flight and at-rest using military grade encryption.
Instant recovery
In addition to security, GDPR article 32 also requires the ability to quickly restore data. A high-quality back up and data recovery solution makes it easier for you to recover lost data in seconds.
Running the risk
By failing to ensure compliance with GDPR, any business is running some significant risks. In addition to substantial penalties that can quickly eat into the bottom line of the business, the biggest risks are to the company’s reputation and the goodwill shown to it.
Any company that fails to follow the stipulations of GDPR and experiences a data leak as a result opens themselves up to severe monetary penalties and fines; loss of future business, network downtime, ongoing legal fees, loss of customer trust and confidence, unhappy shareholders and poor employee morale.
That’s food for thought for every business when they decide whether or not they should put the necessary measures in place to comply. GDPR is not going to go away and every organisation needs to ensure it has put its own house in order. Complying with the regulation means putting in place a multi-faceted approach that is as much about implementing new processes as it is about installing new technologies. The latest backup and recovery solutions will typically have a key part to play in delivering best practice data management and by extension helping to meet GDPR. The Unitrends Fifth Annual Cloud and Disaster Recovery Report found, however, that 30 percent of its respondents are experiencing data loss, and 40 percent suffered downtime, showing that many organisations still need support to leverage backup and disaster recovery solutions and best practices.
Moving forwards, organisations that implement these tools will often be better placed to comply with GDPR and other regulations. Ultimately too, there is no time like the present to start putting them in place.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.