Home Page » Backup Systems Disaster Recovery Blog » 6 GDPR implications on data backup and disaster recovery

6 GDPR implications on data backup and disaster recovery

The date May 25th 2018 has been etched into the brains of CIOs and business leaders across the European Union. If that date has no significance to you, then where have you been?  It of course signals the beginning of the General Data Protection Regulation (GDPR) coming into force, and it has been looming over businesses since its announcement back in 2012.

So in the past 5 years how much preparation have you conducted to ensure you are compliant when the regulation is enacted? With non-compliance fines estimated to reach up to £20 million, GDPR is something we recommend looking into as it will impact every business in the world that holds data on EU citizens.

In this particular blog post we look to address GDPR implications on your data backup and disaster recovery solution to help simplify your GDPR preparations:

GDPR Implication #1: 

Backup and disaster recovery is essential under GDPR

The following comes directly from the GDPR act;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Article 32; Security of Processing

From this, we can see that organisations are held responsible for their ability to recover lost personal data that they hold in a timely manner. In order to remain compliant, they must have the necessary backup and disaster recovery strategies in place and actively take the time to regularly test the integrity and the effectiveness of the solution.

Otherwise, your organisation could be looking to face heavy fines for failing to protect the data that you hold and monitor. This is the harsh reality that we are now living in, and we are now seeing more and more organisations falling victim to sophisticated ransomware and cyber attacks because they do not have the necessary backup and disaster recovery solutions in place. If it is an aspect that concerns you, we recommend reading our ransomware protection tips.

GDPR Implication #2:

Is your third-party provider compliant?

So, you have decided to outsource your backup and disaster recovery solution, that’s great, but you are only part of the way to becoming compliant. Now you need to ensure that your chosen provider is also following GDPR compliance.

Since they will be handling, managing, and backing up all your data, they fall under the title of ‘data processor’ and therefore must follow the same data handling and protection rules as you do. 

GDRP Implication #3:

How do you currently tackle data breaches?

Prior to the 28th May, you must take the time to assess your organisation’s procedures to detect and now report on any data breaches. What level of protection do you currently have and do you need to step it up? Do you feel 100% confident that you could tackle incoming or concealed cyber attacks? If not, then you should be looking for ways to strengthen your protection as you now must report any breaches within 72 hours of them occurring. 

One effective way of increasing your confidence in your cybersecurity capabilities is becoming Cyber Security Essentials accredited, which we have already done. 

If you are not aware of this accreditation, it is a UK government scheme that encourages businesses to maintain a high cybersecurity standard and demonstrate to their customers and partners that they are dedicated to increasing their cyber capabilities. It requires the organisation to complete a self-assessment and be independently reviewed by an external body. If this sounds like something of interest, click here to read more about why we did it. Or alternatively, read more about the scheme on the UK government website here. 

GDPR Implication #4:

Data compliance is no longer just an IT or Legal concern

Due to GDPR being so wide-ranging in its force and applicability, it requires every individual in an organisation to be GDPR aware, rather than just IT and/or legal. 

The key to organisational compliance- training and educating your staff. Core training areas should revolve around how your employees seek, record and manage individuals consent to hold their information.

The Information Commissioner also recommends creating a new role or a new data compliance project team to ensure that your organisation remains compliant. These teams should be tasked with educating the rest of the organisation with new ways to think about data management and compliance. 

It should also be noted that if your organisation has over 250 members of staff then a Data Protection Officer role needs to be created. 

GDPR Implication #5:

Regular data backups are essential

How often do you or your provider backup your data? If your backups are not automated then you will have to consider increasing the number of times your backups are conducted to keep in line with your live data. GDPR requires the data to be available at all times to the subject; therefore you need to be ensuring that the data is backed up to reflect the live data.

GDPR Implication #6:

Testing of your backup and disaster recovery solution

Does your DR and backup provider regularly test the effectiveness of their solution? This is something that you must consider before signing on the dotted line. Again, a good indicator that they follow best practices would be a Cyber Essentials Security accreditation. 

With less than a year to go till the GDPR kick-off, the countdown is on to ensure you are putting compliance measures into place and sourcing a backup and disaster recovery provider that will work for your organisation. 

At Backup Systems, we have been developing and managing disaster recovery solutions for companies for over 10 years. Established in 2005, we focus exclusively on backup software, disaster recovery and data archiving.

When you choose us, you can rest assured you are not dealing with a reseller, or vendor re-badging a third party product, but with expert system developers. Our solution is 100% our own meaning we can guarantee that we are GDPR compliant, and as previously mentioned we are Cyber Essentials security accredited; therefore we follow best cybersecurity practices.

For a full detailed list of our capabilities and our services, we recommend reading our Managed Service guide below. 


Why not start your GDPR preparation plans by taking a look at our Managed Service guide to learn more about our bespoke backup and disaster recovery solution and how we can protect your data from potential breaches and keep you GDPR compliant. 

Share this article with colleagues:

Recent posts: