How to

Keep Your Data Backup GDPR Compliant

How to Keep Your Data Backup GDPR Compliant

In times of GDPR it can be quite a challenge to keep your data backups compliant. Technical and organizational measures must be taken to meet compliance standards. Here is what you need to consider when setting up your data backup compliance strategy.

Picture the scene: the charismatic ‘one-club’ local hero, the aging warhorse in his final season, sat on the bench waiting for one last great hurrah. Then the call comes; an injury to the star player means the veteran is needed.

He stands up then realizes he’s forgot to pack his trainers, or even to get changed – so much for an effective backup.

Yet in the world of business, an increasing amount of vital data reserves are not fit for purpose. Certainly from a GDPR perspective, any backed up data runs the risk of not being fully prepared – or compliant.

All of which can leave the team short, and compromise your chances of future glory.

Technical and Organizational Measures

Backup is essential to ensuring your business data is always available where and when it’s needed – that’s why many companies regularly perform the action as part of their day-to-day IT activities.

The challenge represented by the GDPR regulations however, is to ensure the process doesn’t violate the rights of the ‘data subject’. To do this, and to achieve total coverage, requires the introduction of appropriate technical and organizational measures.

Should you be Updating Backed up Data?

Think of what happens when a person orders a pair of shoes online:

  • Once the item is selected, most people will prefer the convenience of having their items shipped rather than collecting in person
  • They will input their address details
  • In many instances, this will actually be a work address to help guarantee that someone will be on hand to receive the goods during office hours

Sounds simple, and indeed it is. Complexity only enters the picture when you consider what happens next to the data. That’s because the company selling the shoes now has the responsibility of keeping this data up-to-date in their database – as well as in the database of the shipping company that made the delivery.

What’s more, because a work address was provided, the data quality has the potential to quickly decay – and will do so the moment the person changes jobs. All of which points to a sizeable task, but one that’s relatively easy to accomplish with your current database.

But what of the data being backed up?

Restoring Data = Processing Data

Technically it’s not possible to remove data from a backup file. Try to do that and you run the risk of compromising the data. In fact, you can only restore a backup – which means the data will become visible again. Do that and you’re seen as having processed the data, and in doing so, you’ve possibly violated the rights of the data subject.

Which brings us back to “appropriate organizational measures”.

In order to comply with GDPR organizations need to document – in as detailed a manner as possible – their policies and procedures for handling the personal data. Included in this is the ability to demonstrate that this data will in no way be restored into the production system.

Constantly Deleting Data Inaccuracies

Another question to answer is: how long will you need to keep a backup of your data? With GDPR it’s most likely that companies will become increasingly strict in retaining data for only as long as necessary – to support operations and legal obligations.

At the same time, there should also be increased vigor in deleting inaccurate data. This, of course, places the spotlight on the measures being taken to keep the data accurate in the first place!

To return to the case of the shoe retailer, they could approach such a task by asking customers to login to their website to amend any incorrect data. As long as this request is easy for each customer to complete, it should help ‘catch’ any errors – and provide a simple way for them to revoke their consent.

Exploring all Possibilities

Other options include:

  • Implementing a review of the retained data every three months
  • Defining a policy that considers data older than three months to be potentially inaccurate and therefore not worth keeping
  • Using data logs to know which data is considered inaccurate
  • Keeping data with a short validity (e.g. shipping address, phone number etc.) separate from data that has to be retained for other legal requirements (e.g. invoices)

Take the Next Step to Backup Compliance

Keeping your backup data compliant and ready for action, has become a more complex and delicate process with the advent of GDPR. But with careful planning and the introduction of effective policies, it can quickly be mastered – and provide a few additional business benefits along the way. Our Managed Backup team is happy to assist, just reach out to them.

Discover Managed Backup

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

Blog Editorial Team

Trend Scouts

IT Trends and industry-relevant novelties

Related Articles

backup-solutions-for-nonprofits
  • 26 August 2020
  • Mathew Showers
  • Managed Backup, Digital Transformation
  • BackupSimple

Embracing the New Frontier of Backup Solutions for Nonprofits

Choosing a cloud backup management plan to simplify your cloud journey will help achieve the larger goal of Digital Transformation. Learn how BackupSimple can help your organization transform in order to free-up resources and keep…

reset-thrive-your-business-part-six

Reset and Thrive Your Business - Part SIX - Why Future Remote Workforces Need Data Backup

Remote work has made it even more essential for organizations to backup and secure their data. Find out how data backup will give you peace of mind.

backing-up-your-data-with-hybrid-solutions

Backing Up Your Data in Microsoft 365: Hybrid Solutions

The hybrid solution comes with its own risks. Learn why backing up your data in Microsoft 365 eases the burden.