First, let’s walk through a scenario. Kevin is a Data Protection Officer (DPO) at a large company based in Houston. The company has a global customer base for its products and uses a Customer Relationship Management (CRM) tool in addition to many other digital tools and platforms. As a result, customer data is stored in many different places.
The company recently made changes to the network infrastructure including a mass migration of the company’s internal apps to the cloud. This leaves even more customer data stored across a hybrid solution – both in the cloud for ease of access and on the company’s local data centers for security.
As a company that does business with citizens of the European Union, it must comply with the General Data Protection Regulation (GDPR), the sweeping data protection legislation covering the collection, storage, and usage of EU citizen data anywhere in the world.
After a security incident last week, it took the IT team at Kevin’s company almost a full workday to restore their backups and recover data after the breach. In some cases, the backups were not recent and data was lost. The very act of recovery was complex and time-consuming because there were multiple backups to recover and restore - including some that were app or platform-specific. Because each backup required a different protocol for deployment, the team had to be trained on how to use their unique recovery systems. As a result, the data recovery process was laborious and slow.
For Kevin as the DPO, that meant trouble. He knew that as a company with a global customer base, GDPR was a key consideration in this scenario. Despite the quick backup and recovery process offered by M365, there were still many data sets stored outside of M365 that were not recovered in time for GDPR compliance. It was a major hit not only to Kevin’s performance as a DPO but also to the company’s bottom line as they were subject to large fines because data recall after the incident was not instant per GDPR guidelines.