How to
Keep Your Data Backup GDPR Compliant

How to Keep Your Data Backup GDPR Compliant

In times of GDPR it can be quite a challenge to keep your data backups compliant. Technical and organizational measures must be taken to meet compliance standards. Here is what you need to consider when setting up your data backup compliance strategy.

Picture the scene: the charismatic ‘one-club’ local hero, the aging warhorse in his final season, sat on the bench waiting for one last great hurrah. Then the call comes; an injury to the star player means the veteran is needed.

He stands up then realizes he’s forgot to pack his trainers, or even to get changed – so much for an effective backup.

Yet in the world of business, an increasing amount of vital data reserves are not fit for purpose. Certainly from a GDPR perspective, any backed up data runs the risk of not being fully prepared – or compliant.

All of which can leave the team short, and compromise your chances of future glory.

Technical and Organizational Measures

Backup is essential to ensuring your business data is always available where and when it’s needed – that’s why many companies regularly perform the action as part of their day-to-day IT activities.

The challenge represented by the GDPR regulations however, is to ensure the process doesn’t violate the rights of the ‘data subject’. To do this, and to achieve total coverage, requires the introduction of appropriate technical and organizational measures.

Should you be Updating Backed up Data?

Think of what happens when a person orders a pair of shoes online:

  • Once the item is selected, most people will prefer the convenience of having their items shipped rather than collecting in person
  • They will input their address details
  • In many instances, this will actually be a work address to help guarantee that someone will be on hand to receive the goods during office hours

Sounds simple, and indeed it is. Complexity only enters the picture when you consider what happens next to the data. That’s because the company selling the shoes now has the responsibility of keeping this data up-to-date in their database – as well as in the database of the shipping company that made the delivery.

What’s more, because a work address was provided, the data quality has the potential to quickly decay – and will do so the moment the person changes jobs. All of which points to a sizeable task, but one that’s relatively easy to accomplish with your current database.

But what of the data being backed up?

Restoring Data = Processing Data

Technically it’s not possible to remove data from a backup file. Try to do that and you run the risk of compromising the data. In fact, you can only restore a backup – which means the data will become visible again. Do that and you’re seen as having processed the data, and in doing so, you’ve possibly violated the rights of the data subject.

Which brings us back to “appropriate organizational measures”.

In order to comply with GDPR organizations need to document – in as detailed a manner as possible – their policies and procedures for handling the personal data. Included in this is the ability to demonstrate that this data will in no way be restored into the production system.

Constantly Deleting Data Inaccuracies

Another question to answer is: how long will you need to keep a backup of your data? With GDPR it’s most likely that companies will become increasingly strict in retaining data for only as long as necessary – to support operations and legal obligations.

At the same time, there should also be increased vigor in deleting inaccurate data. This, of course, places the spotlight on the measures being taken to keep the data accurate in the first place!

To return to the case of the shoe retailer, they could approach such a task by asking customers to login to their website to amend any incorrect data. As long as this request is easy for each customer to complete, it should help ‘catch’ any errors – and provide a simple way for them to revoke their consent.

Exploring all Possibilities

Other options include:

  • Implementing a review of the retained data every three months
  • Defining a policy that considers data older than three months to be potentially inaccurate and therefore not worth keeping
  • Using data logs to know which data is considered inaccurate
  • Keeping data with a short validity (e.g. shipping address, phone number etc.) separate from data that has to be retained for other legal requirements (e.g. invoices)

Take the Next Step to Backup Compliance

Keeping your backup data compliant and ready for action, has become a more complex and delicate process with the advent of GDPR. But with careful planning and the introduction of effective policies, it can quickly be mastered – and provide a few additional business benefits along the way. Our Managed Backup team is happy to assist, just reach out to them.

Discover Managed Backup
  • Thursday 09 August 2018

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

SoftwareONE Blog Team

Blog Editorial Team Trend Scouts

IT Trends and industry-relevant Novelties

Related Articles

How to Decide for a Data Backup Provider
  • 18 July 2019
  • Sanjay Miyanger
  • Managed Security, Publisher Advisory, Managed Backup
  • Data Backup, Backup Recovery, Data, BackupSimple

How to Decide for a Data Backup Provider

Data backup is an essential function for every business. So how do you choose the right backup provider for your organization? Here is a guide to help you decide.

It’s Simplicity Day! Reduce IT Complexity with Managed
  • 12 July 2019
  • Blog Editorial Team
  • Unified Communications, Software Asset Management, Managed Cloud, Managed Security, Managed Backup
  • BackupSimple, UCSimple, SAM Simple, AzureSimple

It’s Simplicity Day! Reduce IT Complexity with Managed Services

At SoftwareONE, we have a firm commitment to making the lives of IT professionals simple. Find out how we accomplish this through managed services.

Balancing Data Control and Third-Party Cloud Backup Services
  • 26 March 2019
  • Mathew Showers
  • Managed Backup
  • Data Backup, Backup Recovery, Cyber-Threats, Cyber-Crime, Cyber-Attacks

Balancing Data Control & Third-Party Cloud Backup Services

Since data is so integral to business functions and success, organizations must ensure that it is secure. Data can be irrecoverably lost or altered – whether through Cyber-Attack, weather event, employee error, or a host of other…