Why backups are essential in a GDPR world

Posted by Chris Scott

GDPR is now in place to keep personal data safe at every stage of its lifecycle – from acquisition and processing, all the way through to storage and deletion. Unfortunately though, it is inevitable that events will sometimes happen that are outside of the data controller’s power. These events may include the accidental or purposeful alteration or deletion of data, situations where data becomes unavailable, such as a software provider outage, and the now all-too-common data breach.

Businesses can’t rest on their laurels and assume that the vendors they rely on have their backs. For example, many organisations still wrongfully assume that their Office 365 data is backed up by Microsoft, although the tech giant makes it very clear that protecting your data is ultimately your responsibility.

Organisations therefore need to be confident in their ability to recover lost data, access this information in a timely manner and react to any issues in a compliant way. Failing to do so could result in hefty fines and immeasurable reputational damage now that GDPR is in full effect.

The regulation leaves plenty of room for interpretation, and in order to cover all GDPR bases, businesses will likely need to adopt a number of different solutions that complement each other. When we drill down into specifics, it is clear that a number of articles within the regulation can be addressed through the secure backup of data.

Article 4

Firstly, Article 4 defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. Considering this definition, we can see that having backups of data helps to protect organisations from a number of scenarios that could result in disciplinary action.

Article 5

This article states that personal information must be up-to-date and consistently available, whilst being protected against loss, destruction or damage. This may seem like a difficult task on the face of it, but automatically backing up data is a good way to make sure that data sets are easily accessible at all times. Restoring this data in a timely fashion can also be done easily using eDiscovery with advanced capabilities that allow flexible search, recovery and export options.

Articles 28 and 32

These articles relate to the security of data processing, and state that organisations must be able to restore the availability and access to personal data in a timely manner if a physical or technical issue arises. They also highlight the need for regular testing and the evaluation of processes to ensure data is continuously safeguarded. Carrying out regular health checks of backup data and ensuring that a storage-level corruption guard is in place would help to adhere to these articles by offering peace of mind that backup information is easily accessible and can be restored at a granular level.

Compliance with GDPR requires multiple solutions and processes which work together in harmony. Once this is established, organisations will reap the benefits of a more secure, streamlined way of working. The easiest way to achieve compliance with the specific articles mentioned here is to adopt a backup solution that has been designed with GDPR in mind from the get-go. Fast-growth companies that require more flexibility and scalability should also consider backup-as-a-service options, which often offer additional layers of security. Either way, it is important that organisations can guarantee that nothing is missed.