Story image

GDPR and backup – balancing business continuity and data protection

03 Dec 2018

Article by iland vice president governance, risk and compliance, Frank Krieger.

It’s over six months since the implementation of the General Data Protection Regulation (GDPR) and we’re now at the in-between phase. The Information Commissioner’s Office (ICO) is still working through data breach cases brought under the Data Protection Act so we’ve yet to see exactly how they will interpret and penalise breaches under GDPR itself.

It’s a waiting game and the compliance world will be paying close attention as the new landscape unfolds. In the meantime, the business of data security and resilience remains a critical concern and an essential part of that is planning for what happens when things go wrong. A systems failure or breach is one of the “moments that matter” for the IT department and robust strategies need to be in place to recover data and bring systems back online.  However, when we consider backup and disaster recovery systems we need to view them not just from a business resilience and operational standpoint, but also from a GDPR compliance perspective.

Backup and DR – core to the GDPR proposition

Business continuity and data availability are central elements of the GDPR. Businesses are expected to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” Also included is the edict to “restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” So backup and disaster recovery systems are effectively a mandatory part of doing business if companies are going to comply correctly with the regulation - quite apart from the obvious benefits to the business itself of being able to continue functioning if systems are disrupted.

Therefore, the stringent security standards required for data held, managed and processed in live environments must also apply to data which is stored in backup and DR facilities. It must be fully encrypted while at rest in the backup location and secured in transit in the event that a recovery is required. This is fairly straightforward for organisations that use the cloud for backup, as CSPs make it their business to deliver the highest levels of encryption and physical security for their clients and they typically mirror those provided for the live environment. Organisations using object storage in the cloud are in a stronger position as by its nature object storage offers greater accessibility and control than other storage methods.

Additionally, to ensure GDPR compliance, backups need to be physically located in the territory to which the subject data relates – this is particularly relevant in the case of cloud backup and DR – you need to ensure data sovereignty and be assured by your CSP that your data is being stored only in authorised regions.

Backups and the right to be forgotten

While much of the GDPR is about keeping personal data safe when it’s being held by an organisation, perhaps the highest profile element of the legislation is the one that goes even further and permits the data subject the “right to be forgotten”. While this is an important right for individuals who no longer wish their information to be held by an organisation, it presents some interesting challenges when it comes to backup systems. Is it feasible to absolutely guarantee that data will be deleted not only from the production environment, but also from backup systems?

In what timecan this realistically be carried out? How can it be achieved without compromising the integrity of applications that rely on that data? These are some knotty problems that perhaps we will not see fully resolved until we’ve seen the outcomes of some test cases, but there are some points that we can take into consideration when exploring this issue and these are largely around maintaining transparency between data subject and data controller.

When a right-to-be-forgotten request is received, the subject must be informed that data may be held in system backups and assured that these records are subject to the highest levels of encryption and security. The controller should commit to removing personal data from backups within a reasonable timeand offer assurance that, in the case of a recovery event, the data subject’s records will not return to the live environment.

The ease with which this can be accomplished will depend on what technology approach the controller has taken to backups. If they are disk-based it may be fairly quick to identify and delete the relevant data, tape-based searches will take longer, write-once-read-many (WORM) systems may prove impossible to edit without compromising the backup’s integrity.

Cloud-based backups offer the most flexibility, as they can be swiftly accessed, and data deleted as part of scheduled backups. This also means the integrity of interdependent systems will not be compromised. CSPs should be able to offer clients advice and strategies for managing right-to-be-forgotten requests in cloud backups and I’d advise clients to really take advantage of this expertise in developing clear policies around this challenge.

There are some circumstances where, for different compliance reasons, personal data may not be fully deleted. If these apply to the data subject’s request they must be informed immediately of the reasons for which the data will remain.

Depending on the nature and scale of your archive systems, it may not even be possible for your organisations to give a watertight guarantee that a subject’s data can be entirely forgotten. If this is the case, then this should be a recorded risk that is elevated to Board level, so that it can be managed accordingly.

Data hygiene is the new panacea

While the capacity to collect, use and store customer data is now practically limitless, the reality is that the more data an organisation persists in holding, the bigger the management headache – and compliance risk - it becomes. Today commercial success is not based on how much data you have, but what you do with it: how you access, manage and store it and how you delete it once it is no longer relevant. Sound data hygiene policies must include how data is treated in backup and recovery systems.

The security and management of data is a strategic issue that is intrinsically linked with business agility and continuity. Growing numbers of organisations look to the cloud not just to provide a flexible, scalable production environment, but also because of the advantages it offers in backup and disaster recovery. These features can also be brought to bear when it comes to ensuring ongoing GDPR compliance for backup and recovery systems, so that organisations can confidently meet their obligations and protect customer data, wherever it resides.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.
WikiLeaks' Julian Assange arrested in London
There’s little doubt that it’s a day of reckoning for WikiLeaks cofounder Julian Assange today, after his seven-year long protection inside London’s Ecquador Embassy came to an abrupt end.