A fundamental element of data protection is having the ability to securely back-up the data your organisation holds, and this is going to be under a lot more scrutiny as the deadline day for GDPR looms.
Based on the fact that individuals have the right to have their data protected at all times, this new legislation will make it compulsory to be able to prove you have the right IT infrastructure and policies in place for disaster recovery - to retrieve and continue to protect data in the event of a critical incident – whether that is an attack from Godzilla or something more mundane such as a ransomware attack. If you hold an individual’s data, and that data is lost or stolen, you can no longer say you are adequately protecting it, and so are in breach of regulations.
Diving into the legislation, GDPR states that any organisation holding the data of an EU citizen must be able to show ‘the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident’. Furthermore, they must also have in place ‘a process of regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing’.
Put simply, in order to be compliant, an organisation needs to have the necessary back-up and disaster recovery strategies in place to retrieve and protect data, and take the time to regularly test those solutions.
So, what practical steps do you need to take to ensure that your organisation can do this?
Audits and Assessments
The first requirement is to perform a series of audits or assessments to evaluate where you currently stand with regards to GDPR and data protection:
- A data impact assessment to discover the impact of data being lost or stolen
- A security audit to evaluate your current data protection and cyber security measures and identify possible gaps or inadequacies
- An assessment of current protocols for data breaches and data requests, to identify where improvements can and need to be made in order to comply
Once you have an understanding of what you need to do to adequately protect your data and enable its recovery, you need to then develop a full understanding of just what data you have, where it is stored, how it moves through your organisation, and whether it is protected.
That is not as simple as it may sound. The data you hold on your company server is one thing, but consider the level of data growth over the last decade or so, how it is stored and processed over remote devices, the cloud and third parties, plus the increasing number of ways we collect data, and it’s not hard to believe that most organisations don’t even realise just how much data they have.
Just as a map tells us the location of something, and where it is in relation to other things, data mapping enables you to discover where your data is held, and how it flows through your organisation.
With a comprehensive data map in place, you can then start the process of identifying what you need for day to day processing, what you can archive, and what you can get rid of.
One of the best ways to reduce the risk of non-compliance with data protection regulations is to undergo a process of minimising. Simply put, the less data you have, the less you have to protect. Delete any outdated or obsolete data you simply don’t need anymore, and then consider what can be archived.
Your archives will hold legacy data you no longer use but may have to keep for a period of time based on regulations, or information that has been moved from your servers to free up space. However, it is important to remember that even if you don’t use it, if you still have it, it is subject to GDPR. So, it too must be protected and must also be accessible by authorised personnel if, for instance, your company faces a data request, or a right to be forgotten request.
To date, many organisations still use tapes to archive, but this in itself poses a security risk in that they can be lost or stolen. Cloud storage is becoming the norm now, offering secure long-term data storage, but you must ensure your provider is also GDPR-compliant. Whatever option you choose, whether off-site storage or the cloud, you need to assess the levels of security and accessibility in place.
Assessing Your Back-Up Capabilities
Following deletion and archiving, what you are left with is your business-critical data, the juicy stuff you need to run your business on a day to day basis, and you must now assess your back-up capabilities for this.
You need to look at how you back-up your data. Is it done manually or is it automated? How often is it done? Because GDPR requires your data to be available at all times to an individual should they request it, you must be able to retrieve and share its live or most recent version, not the version you held two weeks before things came crashing down.
Obviously, your back-up system must be effective, so it should be tested regularly to assess whether it is fit for purpose, and to identify where it can be improved. You must also assess how easy it is to physically retrieve data in the timely fashion demanded by GDPR – in essence, how well your back-up system works.
Securing Your Back-Up
Obviously, your back-up data needs to be secure, otherwise it defeats the purpose. Primary IT solutions for back-up data protection would include:
- Pseudonymisation or tokenisation
- Access controls
There are several steps to take, and while it can be a little daunting, it doesn’t have to be, if you get some practical help from a certified GDPR expert who can advise you on the steps you need to take to be compliant.
They can provide the training and education your staff needs regarding best practices for the separation, compartmentalisation, back-up and restoring of data, as well as advice on GDPR awareness, gap analysis, impact assessments and security audits.
As certified GDPR consultants, pebble.it can help your entire organisation understand what you need to do to be compliant, and advise on the processes you need to put in place to implement a compliant back-up solution.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist: