How to

Keep Your Data Backup GDPR Compliant

How to Keep Your Data Backup GDPR Compliant

In times of GDPR it can be quite a challenge to keep your data backups compliant. Technical and organizational measures must be taken to meet compliance standards. Here is what you need to consider when setting up your data backup compliance strategy.

Picture the scene: the charismatic ‘one-club’ local hero, the aging warhorse in his final season, sat on the bench waiting for one last great hurrah. Then the call comes; an injury to the star player means the veteran is needed.

He stands up then realizes he’s forgot to pack his trainers, or even to get changed – so much for an effective backup.

Yet in the world of business, an increasing amount of vital data reserves are not fit for purpose. Certainly from a GDPR perspective, any backed up data runs the risk of not being fully prepared – or compliant.

All of which can leave the team short, and compromise your chances of future glory.

Technical and Organizational Measures

Backup is essential to ensuring your business data is always available where and when it’s needed – that’s why many companies regularly perform the action as part of their day-to-day IT activities.

The challenge represented by the GDPR regulations however, is to ensure the process doesn’t violate the rights of the ‘data subject’. To do this, and to achieve total coverage, requires the introduction of appropriate technical and organizational measures.

Should you be Updating Backed up Data?

Think of what happens when a person orders a pair of shoes online:

  • Once the item is selected, most people will prefer the convenience of having their items shipped rather than collecting in person
  • They will input their address details
  • In many instances, this will actually be a work address to help guarantee that someone will be on hand to receive the goods during office hours

Sounds simple, and indeed it is. Complexity only enters the picture when you consider what happens next to the data. That’s because the company selling the shoes now has the responsibility of keeping this data up-to-date in their database – as well as in the database of the shipping company that made the delivery.

What’s more, because a work address was provided, the data quality has the potential to quickly decay – and will do so the moment the person changes jobs. All of which points to a sizeable task, but one that’s relatively easy to accomplish with your current database.

But what of the data being backed up?

Restoring Data = Processing Data

Technically it’s not possible to remove data from a backup file. Try to do that and you run the risk of compromising the data. In fact, you can only restore a backup – which means the data will become visible again. Do that and you’re seen as having processed the data, and in doing so, you’ve possibly violated the rights of the data subject.

Which brings us back to “appropriate organizational measures”.

In order to comply with GDPR organizations need to document – in as detailed a manner as possible – their policies and procedures for handling the personal data. Included in this is the ability to demonstrate that this data will in no way be restored into the production system.

Constantly Deleting Data Inaccuracies

Another question to answer is: how long will you need to keep a backup of your data? With GDPR it’s most likely that companies will become increasingly strict in retaining data for only as long as necessary – to support operations and legal obligations.

At the same time, there should also be increased vigor in deleting inaccurate data. This, of course, places the spotlight on the measures being taken to keep the data accurate in the first place!

To return to the case of the shoe retailer, they could approach such a task by asking customers to login to their website to amend any incorrect data. As long as this request is easy for each customer to complete, it should help ‘catch’ any errors – and provide a simple way for them to revoke their consent.

Exploring all Possibilities

Other options include:

  • Implementing a review of the retained data every three months
  • Defining a policy that considers data older than three months to be potentially inaccurate and therefore not worth keeping
  • Using data logs to know which data is considered inaccurate
  • Keeping data with a short validity (e.g. shipping address, phone number etc.) separate from data that has to be retained for other legal requirements (e.g. invoices)

Take the Next Step to Backup Compliance

Keeping your backup data compliant and ready for action, has become a more complex and delicate process with the advent of GDPR. But with careful planning and the introduction of effective policies, it can quickly be mastered – and provide a few additional business benefits along the way. Our Managed Backup team is happy to assist, just reach out to them.

Discover Managed Backup

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Blog Editorial Team

Trend Scouts

IT Trends and industry-relevant novelties

Related Articles

Gaining Visibility Within the C-Suite

ITAM’s Time to Shine: Gaining Visibility Within the C-Suite

Now more than ever, it’s ITAM’s turn to step into the spotlight. Learn more about the actions you can take now and in the future to gain visibility within the C-Suite.

  • 15 September 2020
  • Unified Communications

Retrofit ACM, Part 3 – A Retroactive Plan for Adoption and Change Management

In part 3 of this series, learn about the remedial steps you can take towards defining clear goals and a retroactive treatment plan for your Microsoft Teams adoption.

6 Exciting Meeting Features to Better Collaborate in Microsoft Teams

6 Exciting Meeting Features to Better Collaborate in Microsoft Teams

Microsoft recently announced new features for their collaboration platform, Teams. Here’s an overview of what they are and how to enable them.