A slightly controversial statement to make but could this be the straw that breaks the camel’s back when we consider tape backup in light of the looming GDPR deadline? Having debated this point with many Industry leaders over the past months I have decided to put down my own thoughts on this. Yes it is an opinion but hopefully with sound reasoning as I shall go on to explain.
There are a number of major considerations in the arena of backup and GDPR. Firstly is the amendment to the already in place Subject Access Request (SAR). As with the current legislation, individual citizens have a legal right to request from the data controller what personal data is held by them? The major change is the timescale in which these requests must be responded to. 40 days down to a month. Also and most importantly the potential fines that can be applied to those that fail to meet these demands. I can’t imagine the Information Commissioner’s Office being particularly heavy handed with an organisation that fails on one or two of these but those that systematically fail run the risk of being taken to task and made an example of to “encourage” others to fall into line. Also consider the amount of coverage this will be afforded by the media and the risk that on the 25th May 2018 a deluge of such requests may be forthcoming and the snowball effect this may have when someone has their knuckles rapped.
The question to be posed if all of your backups are on tape is how can you guarantee to provide accurate information to furnish a SAR? Personally I believe the ICO would take a reasonably pragmatic approach to this. Businesses that have historically used tape to protect data backups would be in a decent enough position to state that this is historic and was done before the regulations existed and therefore how can it be reasonable to expect all of this to be reversed engineered to exist within the newly enforced regulations. However, fast forwarding in time, to continue to backup to a media that makes it almost impossible (or at least very expensive) to furnish a SAR fully, would I feel be viewed in a different light.
The second and even more complicated consideration is the right to be forgotten. Take the challenge that exists with a SAR and multiply by a very big number indeed. With data on tape a legitimate request to have data erased must be performed or risk the penalties that can be imposed. The problem with tape is that data does not exist in the same way as it does on disk, you can’t delete a file from a tape you can only wipe the entire tape. Yes you could restore the tapes (all of them) and then systematically delete that data. This could result in the motorway system of the UK being clogged with people driving vans delivering and collecting tape media to service this. Yes a little OTT but one can realistically imagine the strain this would place on already overburdened IT departments. One solution to this is to move to an online cloud based backup solution that allows the retrieval of data without physical tape media in the mix. Also the major change in this area of data privacy legislation is that currently the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present.
Also, businesses need to think clearly about backup regimes and how long they keep the data for. The GDPR is quite clear about this. You can only hold the data for as long as you reasonably need it in terms of the purpose for which you acquired the consent to hold this information. There are exceptions to this that are analogous to the right to erasure (to be forgotten).
So time to go tapeless, not just because of GDPR and the risk of not doing so but use this opportunity to transform away from tape and embrace the additional positive business benefits of a tapeless world which are all well documented and hopefully don’t need too much elaboration.