GDPR Compliance – Who’s got your Back(up)?
What is GDPR?
For those only just tuning into this conversation the EU Commission negotiated and finalized the text of what is called the “General Data Protection Regulation” (GDPR) in December of 2015. This was officially approved as law in April 2016 and comes into effect on May 25, 2018. And, if you’re an organization that does business in the EU or even has customers from those geographies, this could significantly change the way you do business.
Many think GDPR is an “EU thing” and doesn’t affect them because they don’t have an office there If you are one of them, think again. Since the EU believes that data protection should apply across national boundaries, GDPR seeks to regulate not only the security of data within the EU but extends the law to all businesses that hold data about EU citizens, even if such a business is based outside the EU. So, in cases where a business is based outside the EU, but offers goods and services to individuals in the EU or monitors their behaviour, the GDPR will apply. This means that a lot more businesses than previously, especially based in the US and other parts of the world now come under the ambit of GDPR.
What has really grabbed eyeballs is the stiffness of the penalties involved. Certain breaches can result in a fine of € 10M or 2% of a company’s annual revenues – whichever is greater. More serious breaches could result in a fine that is the greater of € 20M or 4% of a company’s annual revenues. In some cases, the Data Protection Authority can impose a complete ban on data processing operations by an organization.
Why a backup & Recovery Strategy is Important
A key element of the GDPR mandate is the need for a Disaster Recovery plan which can enforce data protection, retention and also demonstrate continued compliance. Article 32(1), sections (a)-(d) of the GDPR law requires companies to have a disaster recovery plan in place, tested regularly, too. Companies must have the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident.
Further, it is essential to maintain and protect the privacy of such data that is being backed up. The law requires that data must remain entirely secure, available, testable and GDPR compliant – even while the company is operating with limited resources. To this end, GDPR rules require pseudonymisation or encryption of personal data.
It is also necessary to ensure confidentiality, integrity, availability and resilience of these processing systems and services.
GDPR has therefore made essential what were previously considered best practices. Having a solid backup and recovery plan has always been important, but with recent onset of incidents like ransomware and regulations like GDPR it is has become a critical piece of IT strategy.
What you should Backup
Most IT organizations, when thinking about Backup strategies, tend to think of their servers and databases. When crafting your compliance strategy for GDPR, remember to include your end-user data.
What is end user data? Think of it as all of an organization’s data that is not residing on their central file or DB servers. This includes data on all desktops, laptops, mobile devices and even SaaS applications. By even conservative estimates, this accounts for two-thirds or more of a company’s total data assets.
If you’re among those that don’t have a strategy for end-user data protection, don’t despair. You’re not alone! Statistics tell us that only 52% of IT organizations have formal processes for protecting all corporate-owned endpoint devices.
But that’s changing rapidly with the onset of regulations like GDPR and more organizations are now developing strategies for protecting end user data.
- Two thirds of enterprise data lies outside the data center on end user devices, such as aike laptop.
- 99% of employees have sensitive data on their laptops and almost a third admit to uploading it to the cloud.
- Unknown to many, SaaS vendors don’t take the responsibility for backing up your data – you are responsible for your data backups – even when it is in the cloud.
THE NEXT STEPS
Protecting end user data has never been more critical. If you don’t have an end user data protection strategy, consider an endpoint backup solution. Get one that can use cloud storage for the backup repository. In fact, look for solutions that can leverages cloud storage you may have already purchased for your end users (like OneDrive or Google Drive).
Consider a solution that can ensure security and privacy using techniques like encryption with a clear segregation of duties. Proper segregation of duties ensures that you, the data owner, controls the keys to data encryption and not the cloud or software vendor.
Most importantly, if you haven’t taken steps to cover yourself, Act Now! Use the next few months getting control over your data assets, keeping them safe and getting compliant.