Article by iland vice president governance, risk and compliance, Frank Krieger.
It’s over six months since the implementation of the General Data Protection Regulation (GDPR) and we’re now at the in-between phase. The Information Commissioner’s Office (ICO) is still working through data breach cases brought under the Data Protection Act so we’ve yet to see exactly how they will interpret and penalise breaches under GDPR itself.
It’s a waiting game and the compliance world will be paying close attention as the new landscape unfolds. In the meantime, the business of data security and resilience remains a critical concern and an essential part of that is planning for what happens when things go wrong. A systems failure or breach is one of the “moments that matter” for the IT department and robust strategies need to be in place to recover data and bring systems back online. However, when we consider backup and disaster recovery systems we need to view them not just from a business resilience and operational standpoint, but also from a GDPR compliance perspective.
Backup and DR – core to the GDPR proposition
Business continuity and data availability are central elements of the GDPR. Businesses are expected to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” Also included is the edict to “restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” So backup and disaster recovery systems are effectively a mandatory part of doing business if companies are going to comply correctly with the regulation - quite apart from the obvious benefits to the business itself of being able to continue functioning if systems are disrupted.
Therefore, the stringent security standards required for data held, managed and processed in live environments must also apply to data which is stored in backup and DR facilities. It must be fully encrypted while at rest in the backup location and secured in transit in the event that a recovery is required. This is fairly straightforward for organisations that use the cloud for backup, as CSPs make it their business to deliver the highest levels of encryption and physical security for their clients and they typically mirror those provided for the live environment. Organisations using object storage in the cloud are in a stronger position as by its nature object storage offers greater accessibility and control than other storage methods.
Additionally, to ensure GDPR compliance, backups need to be physically located in the territory to which the subject data relates – this is particularly relevant in the case of cloud backup and DR – you need to ensure data sovereignty and be assured by your CSP that your data is being stored only in authorised regions.
Backups and the right to be forgotten
While much of the GDPR is about keeping personal data safe when it’s being held by an organisation, perhaps the highest profile element of the legislation is the one that goes even further and permits the data subject the “right to be forgotten”. While this is an important right for individuals who no longer wish their information to be held by an organisation, it presents some interesting challenges when it comes to backup systems. Is it feasible to absolutely guarantee that data will be deleted not only from the production environment, but also from backup systems?
In what time frame can this realistically be carried out? How can it be achieved without compromising the integrity of applications that rely on that data? These are some knotty problems that perhaps we will not see fully resolved until we’ve seen the outcomes of some test cases, but there are some points that we can take into consideration when exploring this issue and these are largely around maintaining transparency between data subject and data controller.
When a right-to-be-forgotten request is received, the subject must be informed that data may be held in system backups and assured that these records are subject to the highest levels of encryption and security. The controller should commit to removing personal data from backups within a reasonable time frame and offer assurance that, in the case of a recovery event, the data subject’s records will not return to the live environment.
The ease with which this can be accomplished will depend on what technology approach the controller has taken to backups. If they are disk-based it may be fairly quick to identify and delete the relevant data, tape-based searches will take longer, write-once-read-many (WORM) systems may prove impossible to edit without compromising the backup’s integrity.
Cloud-based backups offer the most flexibility, as they can be swiftly accessed, and data deleted as part of scheduled backups. This also means the integrity of interdependent systems will not be compromised. CSPs should be able to offer clients advice and strategies for managing right-to-be-forgotten requests in cloud backups and I’d advise clients to really take advantage of this expertise in developing clear policies around this challenge.
There are some circumstances where, for different compliance reasons, personal data may not be fully deleted. If these apply to the data subject’s request they must be informed immediately of the reasons for which the data will remain.
Depending on the nature and scale of your archive systems, it may not even be possible for your organisations to give a watertight guarantee that a subject’s data can be entirely forgotten. If this is the case, then this should be a recorded risk that is elevated to Board level, so that it can be managed accordingly.
Data hygiene is the new panacea
While the capacity to collect, use and store customer data is now practically limitless, the reality is that the more data an organisation persists in holding, the bigger the management headache – and compliance risk - it becomes. Today commercial success is not based on how much data you have, but what you do with it: how you access, manage and store it and how you delete it once it is no longer relevant. Sound data hygiene policies must include how data is treated in backup and recovery systems.
The security and management of data is a strategic issue that is intrinsically linked with business agility and continuity. Growing numbers of organisations look to the cloud not just to provide a flexible, scalable production environment, but also because of the advantages it offers in backup and disaster recovery. These features can also be brought to bear when it comes to ensuring ongoing GDPR compliance for backup and recovery systems, so that organisations can confidently meet their obligations and protect customer data, wherever it resides.