The big challenge: backup and GDPR

GDPR (General Data Protection Regulation) came into force on 25 May, 2018. 

Much ink (both digital and real) has been spent on explaining this highly ambitious law. Millions of words on how to adapt personal data management of European citizens to the new realities of a digital world. All EU companies and public bodies are concerned along with all non-European organizations who handle data concerning European citizens.The right to be forgotten, the right to modify one's data and much more stringent rules on how to collect and conserve data are at the heart of this law whose basic aim is to protect individual privacy. GDPR has also served to underscore the impact of recent "data scandals" including the Cambridge Analytica story. The EU now has the power to punish, and punish severely any and all who do not respect the rules.

This blog post will not add an umpteenth voice to the impact and reach of GDPR but rather take a sideways look at what's at stake concerning data protection in general and backups in particular.

Interestingly, the 11 chapters and 99 articles which comprise GDPR legislation do not explicitly mention backup. What is addressed are the best practices for processing personal data. This processing includes the collection, modification, utilization, the confidentiality, the structure and conservation of data. Implicitly, we can consider that backup is part of data conservation (Article 4).

Article 32 requires that all data collecting/processing managers do everything in their power "to ensure a level of security appropriate to the risk".

These measures include:

• The pseudonymization and encryption of personal data
• Guaranteed confidentiality, integrity and availability of processed data
• Providing access to data after an incident
• Evaluate risks and provide proof of security measures in place

Here are the pillars of conformity that every self-respecting data protection system must adhere to:

• The encryption of all data both at rest or in transit. This also includes backed up data. Data access rights, duplication and restoration must be strictly controlled ideally with the implementation of audit trails showing who had access to which data and when.
• Data partitioning allows reliable and secure recovery of a targeted data set (files, VM, database…) or even full Disaster Recovery in the event of a major incident.
• A strong level of reporting. An organization which manages personal data must know where this data is at all times. If any data breach occurs, did this breach affect primary data or were any copies -including backups- also impacted and if so, which backups on which support.

GDPR gives all European citizens the right to access, modify and delete their own personal data. The organization responsible for this data must be able to modify, delete and move the data. Within a primary data source, this is typically straightforward. However, when it comes to backups, things are not always so simple. For example, how easy is it to remove a database table on one or more LTO tapes stored offline in a safe deposit box?

Accessing and modifying each example of customer data from several supports can be complex and costly for the data controller and processor. One personal data set is likely to be duplicated and stored in many locations on many varying supports (local and remote backups, on disk, tape, Cloud…).

In the light of the constraints and recommendations laid out in the GDPR, one practical response would be to implement:

• Regular backup recycling after a reasonable delay (typically after a few weeks). Backups, yes, but not for eternity! Avoid data sprawl -the often uncontrolled proliferation of data.
• Longer archiving remains possible because certain data can be kept for longer. This is particularly true for our customers' details. Bear in mind the importance of knowing  exactly where this data is stored.
• Masking personal information and only collecting essential data. This reduces the risks of data leakage and unauthorized exploitation. Masking sensitive data means an individual will be unidentifiable in a database or file. Of course, the pseudonymization is performed prior to backup and then propagated with each data copy.

Best Practice

RGPD certifications do not exist as yet. But many best practices do. Among these, full control of the backup chain via a centralized and unique console which enables you to protect all data from endpoint machines to data center storage silos. Another dimension is the capacity to search through the backed up data in unstructured file sets.

Towards data protection conformity

Whether your data is unstructured (files, images, emails etc.) or structured (databases) or a combination, GDPR effectively requires your storage infrastructure to have:

• Centralized adminstration and a level of integrated automatization within the backup solution. You should be able to include and exclude data to protect and retentions to apply whatever the storage support.
• A centralized catalog retracing each backup and archiving task with a very granular level of identification of each object (name, metadata, date, backup time...). Multi-criteria search for backed up data should be part of your solution to provide a cartography of the storage associated with each data set.
• A level of reporting where you can prove your data management solution is coherent.  Where is the data? Which employees can perform restoration? Has the data really been recycled etc. ?

For the key elements of this law, in particular relating to data privacy management, please visit the official GDPR website. GDPR documentation can be found here.

For more help on how Atempo can play a role in your GDPR compliance, please contact us here.