What does GDPR readiness involve and how do backup and recovery come into it? GDPR is the European Union’s General Data Protection Regulation which came into effect on May 25, 2018. It gives data subjects more control over their personal data while providing businesses with the benefit of a level playing field through the harmonization of data privacy laws across Europe.
Who does it apply to?
GDPR is applicable to all organizations within the EU and to any businesses located elsewhere that process and hold personal data from EU residents or monitor their behaviour (such as through website cookies), that provide and promote goods and services to EU citizens, and/or have employees who are EU residents.
What if I don’t comply?
Proper usage of consumer personal data doesn’t only make good commercial sense from an ethical and customer service perspective, but also when considering the financial (and reputational!) risks involved in non-compliance.
Much of what the GDPR states is not new – requirements were already in place through the EU’s Data Protection Directive 95/46/EC.
What is new, however, is that the GDPR legislation is more stringent and wide-reaching and brings with it a tiered penalty structure which introduces hefty fines for breaking the rules. We’re talking fines of up to 4% of the annual global turnover of the organization found to be in breach, or €20 million – whichever is the greater.
That is apart from the cost of a data breach itself: IBM’s 2017 Cost of a Data Breach Study, conducted by the Ponemon Institute, gives the average cost of a data breach as US$3.62 million globally, with the average cost of a data breach in the US being US$7.35 million. The average cost for each lost or stolen record containing sensitive and confidential information is reported to be US$141, with this figure increasing to US$380 per record in cases of healthcare breaches. Costs cited factor in breach response activities, reputational damage and lost business.
How do I comply?
Needs and requirements differ for each individual organization, depending on that organization’s functions, interactions, practices and extent of personal data processing. It is therefore essential to seek professional advice to gain clarity, to conduct a GDPR compliance assessment for your organization and to build an appropriate, custom-made compliance strategy.
However, here’s a quick summary to give you a general idea.
The first step is to identify the critical data flows within your organization pertaining to personal data, and determine your organization’s role for each critical data flow identified, as defined by GDPR:
GDPR impacts data controllers and data processors; and cloud providers are not exempt in either case.
- Controller - Entities that determine the purposes, conditions and means of processing personal data are data controllers (such as decisions on what personal data to keep and how to use the personal data collected). Examples of controllers include educational and research organizations, healthcare services, or any business that manages employee and customer personal data.
- Processor – Data Processors are entities which process personal data on behalf of the controller, such as processing or storing information about individuals. An example of a processor would be a cloud provider, such as software as a service (SaaS) like a CRM platform.
The Regulation governs the following main principles to empower data subjects and expand their rights:
- Clarity – Simple, clear and specific language must be used when requesting consumer consent for data processing purposes, coupled with an opt-out option for a consumer to withdraw that consent.
- Accessibility – EU residents have the right to access their personal data held by organizatons. Data subjects may submit a data access request and within thirty (30) days the organization must provide the data subject with his/her personal data.
- Data erasure – This right to be forgotten entitles a data subject to have an organization delete his/her personal data and remove all traces of that data from its systems.
- Portability – This is a newly introduced right for data subjects to transmit the personal data concerning them from one entity to another.
- Breach notification – Organizations need to notify affected individuals and the relevant authorities within given timeframes should a data breach occur.
GDPR also requires organizations to set retention periods for the different categories of personal data held so as to ensure that data is only maintained for the purpose for which it was originally provided. GDPR also provides when organizations need to appoint a Data Protection officer (DPO).
For in-depth information, visit the European Commission’s website.
GDPR and data storage and recovery
One area of GDPR concerns data recovery and the practical, technical aspects of data storage. For reliable, powerful virtual machine (VM) and Office 365 backup and recovery respectively, here’s how Altaro VM Backup and Altaro Office 365 Backup can help you meet these GDPR requirements:
- Fast and integral data recovery
GDPR requires that organizations have the means necessary to restore data as quickly and fully as possible in the case of an outage or fault – or even in the event of a ransomware attack.
Altaro VM Backup does this by enabling you to boot any VM version from the backup location without affecting backup integrity and through Continuous Data Protection (CDP) that reduces the Recovery Point Objective (RPO) to a few minutes.
Altaro Office 365 Backup enables you to back up your Microsoft Office 365 mailboxes and files stored within OneDrive accounts and SharePoint Document Libraries several times a day, thus offering a high recovery point objective. Data can be recovered in its entirety or granularly to the original user, alternate user or exported out of the cloud.
- Ability to find a particular data record
Altaro VM Backup comes with granular restore options for full VM or individual files or emails, enabling you to drill down into your backup and retrieve individual files with a few clicks. Likewise, with Altaro Office 365 backup, you can conduct full, item level or granular restore of mailboxes and files stored within OneDrive and SharePoint.
- Data encryption - Altaro provides robust 265-bit data encryption.
- Data exporting – With Altaro, you can export your data in a commonly used format for easy portability.
- Backup verification testing
Ensure you always have healthy, integral backups with Altaro VM Backup's unique Backup Health Monitor, which proactively monitors the health of your backup storage. Should any corruption be detected, the block(s) in question will be repaired automatically as part of the next backup job.
You can also run manual or automated integrity checks of your backup data through Altaro’s sandbox restore and verification features.
- Storage location control
Altaro VM Backup gives you a selection of storage options to choose from so you can control where your data is stored.
Altaro Office 365 Backup includes storage in its per user cost. Data is stored in MS Azure blob storage. Altaro’s Office 365 Backup data is stored at rest in Microsoft Azure West Europe (Netherlands). This location was selected after a due-diligence process that considered the physical security, certification, scalability, reliability, security and financial stability of the location.
See for yourself how Altaro Backup solutions can help with your GDPR compliance activities by trialling them today:Are you an MSP? Try our free-30 trials here
Disclaimer: The information provided does not in any way constitute legal advice. Anyone who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.