What is GDPR?

GDPR stands for the EU General Data Protection Regulation. It is data protection legislation for the European Union that defines privacy practices for our personal data. So, you might ask why are we talking about regulations that is EU based? Well, the ramifications of this regulations have global significance.

Traditional data protection regulations are general regulations that are focused on corporate ownership of personal information. However, whats different about this regulation is that it defines rules that now says that corporations are just trustees of data but ownership belongs to the individual. Therefore people now have the right to tell companies how they handle their personal data, who they share it with and if they can keep it. They are also required to give you access to your data. In addition, they have 72 hours to report breaches or face fines potentially in the millions of dollars or up to 4% of their annual revenue. This is a HUGE change with HUGE consequences!

Now, clearly this is not the law of the land in the United States. However, most organizations that people do business with have an international presence. So with GPDR, any information that is flowing in and out of the EU has to comply with this regulation. Therefore major US firms with international presence will have to conform to a single standard in order to comply with this regulation. According to PwC, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Therefore, the regulation will likely become a defacto standard since it will be very difficult and costly to maintain different standards of securing personal data. United States legislation will likely follow in the years to come that will be similar GDPR.

BC/DR and GDPR

This is business continuity blog, so we will talk about the GDPR in terms of BC/DR. When you protect your data from disasters, you now have to think about the security of the backup data.

Article 32 of the GDPR regulation states: “(a) the pseudonymisation (obviscation) and encryption of personal data.”

Article 4 of the GDPR regulation states: “(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

First, your data will require encryption both at the application level and with backups. Backups are likely sent offsite so encryption of these will be essential. Backups locally should be encrypted. If they are copied offsite to a SAS 70, SSAE 16, SOC compliant data center, the data should be encrypted in flight as it moves from premise into the remote data center. It should be stored in the remote data center on systems that provided data encryption at rest. People need to ask service providers how they are securing those backups. Therefore the data must be secured end-to-end.

Second, resilience will require a high availability of application servers or expeditious disaster recovery plan execution which would include a plan to test its effectiveness.

The business continuity impact analysis should include an assessment of the security of data that is part of your BC/DR plan. Making sure data is secure reduces the risk of breaches in or outside the company.

Clarity Required

However, this new regulation opens a lot of questions in the ending of personal data. For example:

  1. If a person wants to be forgotten or erased, do you have to remove this data from your backups?
  2. If yes, do you have to inform the person that their data has been erased from production, backup, and archival systems?
  3. What happens if you restore a server that has data on a person who has requested to be erased?

There is a lot of questions that will need to be clarified in the months and years to come but one thing is for sure, get ready for major requirements soon to secure other persons data in your BC/DR strategy not only in the EU but also in the United States.

Leave a Reply

Your email address will not be published. Required fields are marked *

*