Do you know how GDPR will affect your backup processes? Take a look at how you can make sure you adhere to regulations.
With GDPR regulations enforceable from May 2018, you may have noticed lots of people giving advice on how to protect your data. But how does it change the way the deletion of data is handled?
Article 17 of the GDPR states that people have the Right to Erasure (aka the Right to be Forgotten). People have the right to obtain erasure from the data controller without delay. This simply means they can contact you and ask you to remove all records about them from your data. There are many circumstances where this is applicable, including when:
- The business no longer needs the data.
- The subject withdraws their consent.
- The subject uses their right to object to the data processing.
- The data is being processed unlawfully by the controller or processer.
- The data is legally required to be erased.
- The subject was a child at the time the data was collected.
So people have the right to revoke their consent and have their personal data removed from all systems. How does this affect your back-up data?
Most businesses complete a back-up at least once a day. These back-ups are stored as server images and an image of the live data is captured. Once that server image has been captured, it can’t be edited. So, what happens if a business backs up their data in the morning, someone requests their data be deleted and then the server fails later that day? The back-up server image will then be restored and that person will find their data is back on the system.
Under the new GDPR regulations, this can lead to your business facing profound consequences. Although it is likely to only affect a small amount of people, it is important to have the processes in place to deal with situations like this.
So what do you do?
The only way to ensure data is deleted as soon as possible, is to hold paper records of every person who requested to be removed. You then have a record, should you need it in the event of an IT failure. Once the next backup is done, you can simply shred the paper record. Today, companies rarely rely on paper records but if you use an electronic document, that will be on your servers and lost in the event of an IT failure. This is simply an extra precaution to make sure your subject’s data is forgotten as soon as possible.
It may be that you need to review all data capture and processes before the new GDPR legislation comes into action, to allow you to make any changes necessary. Or, your business may need to increase the number of back-ups conducted to make sure they are as in line with your live data as possible.
The fact is, IT disasters happen. You may not be able to prevent them, but you can prepare for them. Please give us a call if you would like more information on how to make sure you’re back-up processes are in line with the new GDPR regulations.