iQoncept - Fotolia
GDPR and backup: What have we learned in one year?
A customer's deletion request continues to be a sticking point regarding backup and GDPR compliance. Learn guidance about this issue and others, following GDPR's first birthday.
After a year living with the General Data Protection Regulation, organizations have learned some lessons around backup strategy and execution that specifically meet GDPR requirements.
May 25 marked the one-year anniversary of GDPR implementation. In a year's time, there have been about 100 fines handed out -- including a massive $57 million fine to Google -- showing that GDPR has teeth, and the European Union isn't afraid to use them.
Since the first rumblings of GDPR, backups have been a heated topic. Many organizations tried to figure out what is required of their GDPR and backup strategy to ensure compliance.
Backups and business continuity
Part of the GDPR includes an organization's requirement to respond to user requests within a reasonable amount of time. According to the French supervising authority, the National Commission on Informatics and Liberty (CNIL), this is generally considered a month's time.
So, you may be thinking, "I have a month if anything goes down. I'm good." But when you look at cyberattacks such as the ransomware attack that has the city of Baltimore taking multiple weeks for operational recovery, a month no longer sounds like enough time. Your backups need to facilitate a speedy recovery of any part of your operation that involves personal data.
CNIL has put out a guide on how to secure personal data, which includes recommendations around backups to ensure operations. In general, your recovery strategy needs to give you the ability to recover not just data, but also deal effectively with the underlying security that protects the systems and applications that interact with personal data.
Backups and the right to be forgotten
There are two issues at play with an EU citizen's ability to ask an organization to remove any record of data. The first is the question of "Does a deletion request include removing data from backups?"
In the last year, several EU supervising authorities have released recommendations on how to address this issue of GDPR and backup. The Danish authority, the Data Inspectorate, states deletion of record data from backups is mandatory "if this is technically possible." CNIL holds that record data does not need to be deleted from a backup. But, according to a Quantum blog, CNIL said "organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time (indicate the retention time in your communication with the data subject)."
The second issue around GDPR and backup is that, should an organization delete a record and then recover from an older backup (containing the now-deleted record), the deleted record will be reanimated and put back into production, making the organization noncompliant.
The Data Inspectorate advises organizations need to maintain an index of requested deletes -- using non-identifiable markers, such as a database row number rather than personal detail -- that correspond to a given backup's retention time. This way, should recovery require the use of an older backup containing now-deleted records, the re-deletion of such records can take place.
GDPR and backup: To the future
I don't expect much to change with GDPR and backup in the coming years, unless specific circumstances arise that demand a change in policy around backups, such as a hacker specifically stealing an older backup and leaking the data to hurt an organization financially. The bottom line is an organization should have an operational policy around access to, management of and backup of personal data -- and have documentation showing what's transpired with regard to any copies of backups containing personal data and that it aligns with policy.