Backups & GDPR – why this could be the end of OnPrem backups

Continuing the trend of information security and the responsibility of companies to safeguard personal information the subject of backups often gets ignored.

The following comes directly from the GDPR act;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Backup types
There are 2 main types of backup scenarios, cloud and on-premise (OnPrem), or both.

Whatever the method one thing is common to both and that is preventing unauthorised access to the data in the event of theft or hack.
Encryption
This is done by encrypting the data using an encryption key so that it cannot be read by anyone who doesn’t have the decryption key to unlock the data allowing it to be read.
Don’t worry about encryption keys because all backup systems include encryption as standard and is easy to implement.
Cloud Backup
A cloud backup is as it says, your data is sent to a backup service on the internet.  There are additional issues to be considered with cloud backups relating to GDPR, see previous blog article.
Because you are responsible for any personal data you digitally store then it is also your responsibility to ensure that the cloud backup supplier also meets the criterias of GDPR and you have taken all reasonable steps to vet them for compliance.  This article discusses this in more details.
Additional considerations with cloud storage include data held on EU citizens stored outside the EU.  This has potential ramifications for vendors like DropBox and OneDrive but all Backup as a Service (BaaS) providers.
OnPrem Backup
This is the traditional way of backing up your data.  It uses tape or disk to which the data is copied and then taken physically off-site.
By using encryption if the media is stolen the data cannot be read without the decryption key.
Is this scenario GDPR compliant?  Current thinking is no because physically taking off-site usually means in someones briefcase, pocket etc., which is not considered sufficiently secure.
Why?  It comes down to the ability to restore the data, see a) above.  If a disk or tape is stolen, or even damaged, you cannot restore from it, (this is not an issue with cloud backups).

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Policy

This website uses cookies to ensure you get the best experience on our website.

Happy to Accept?