Cloud Backup & Disaster Recovery
The General Data Protection Regulation (GDPR) is a new law that is intended to strengthen and harmonise data protection.
May 25th 2018
Small business or large corporate, with the pending deadline approaching on May 25th 2018 to be GDPR compliant, it is something you need to consider and action for your organisation. The following information is not designed to offer all the answers on what GDPR means to you and your organisation. However, we will look at how the cloud backup and disaster recovery services offered by AssureStor can assist you and your organisation in working towards GDPR compliance.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new law that is intended to strengthen and harmonise the data protection rights of individuals within the European Union (EU), but it also addresses the export of any personal data to countries outside the EU. GDPR is much broader and stricter than the 1995 EU Data Protection Directive, which it will replace.
GDPR applies not only to businesses located within the EU, but also to businesses that offer goods and services to, or otherwise monitor, individuals located in the EU. This means that businesses with no operations in the EU may still need to operate according to GDPR’s requirements. It is likely that governments of countries outside the EU will implement similar laws. GDPR will be enforced by data protection authorities, and failure to comply with its terms will lead to fines up to a whopping 4% of annual global turnover or €20,000,000 (whichever one is higher).
What is the Role of Backup and Disaster Recovery Within GDPR?
An area of GDPR that most organisations will want strong compliance with is minimising the risk of a personal data breach. This is the definition of a personal data breach from GDPR:
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
From this definition, even the accidental deletion of data, or dealing with a ransomware infection, can mean an organisation having to report a breach. Throughout the regulation, it is stated multiple times that organisations have to take “appropriate technical measures” to comply, yet the regulation does not specify any requirements on “how” or what is considered “appropriate”.
The Specifics Around Security of Processing Within GDPR
Article 32 of GDPR covers the security of processing personal data, which is also applicable for any backup or disaster recovery solution that you implement.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate
The four elements of this section include:
- the pseudonymisation and encryption of personal data; 4.5.2016 L 119/51 Official Journal of the European Union EN;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
How AssureStor Addresses These GDPR Requirements
the pseudonymisation and encryption of personal data
As AssureStor only protect the data from your organisation, we are unable to address the pseudonymisation of the data; this should be dealt with prior to the data being backed up or replicated for disaster recovery. However, all AssureStor services provide for the encryption of all data flows from your organisation to our cloud platforms, ensuring that your data is protected whilst in transit. In addition, all cloud backup services include additional layers of encryption, ensuring that even whilst at rest your organisation’s data is stored in a secure encrypted format that only you can access using your unique private key.
the ability to restore the availability and access to personal data in a timely manner
Our Cloud Backup and Disaster Recovery platforms all deliver ultra-low recovery times for restoring and recovering your critical data and systems. Our cloud backup platforms allow you to recover data at a file level, ensuring that you can restore the specific data you need with no delays such as searching for the correct tape, or needing to physically ship data from an off-site location. Our disaster recovery solutions focus even more on the rapid recovery of your systems at a server or application level, minimising downtime from both macro disasters such as fire, flood, and natural disaster, through to the more common micro disasters such as disk corruption, hardware failure, and user error.
the ability to ensure the ongoing confidentiality, integrity, availability and resilience
Through the implementation of cloud backup and cloud disaster recovery, AssureStor can maximise the availability of your critical IT estate, providing recovery times that can be measured in seconds. With services that can protect data either on a scheduled basis or continuously, you can ensure that the right level of protection is applied at a granular level. And as all data protected by AssureStor is maintained within geo-diverse data centres located within the UK, our services offer an additional layer of resilience without the need for expensive investment in additional locations.
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures
From the automation and continuous testing of all data backed up, through to the regular testing of complete servers protected for disaster recovery, AssureStor is able to ensure that you can easily test that all data stored within one of our platforms can be recovered with minimal effort and no impact to your day-to-day business. With comprehensive auditing for all platforms, organisations can report and demonstrate that data being held for backup and disaster recovery purposes is only accessible by authorised users.
Download the Asigra GDPR datasheet for more information on how Asigra technology, powering the backup2cloud enterprise platform, aids organisations in meeting their GDPR compliance requirements.
How Can Zerto Aid
With GDPR Datasheet
Are you interested in how Zerto technology, powering the dr2cloud virtual platform, can aid with GDPR compliance? If you are download this Zerto datasheet today.