GDPR compliance naivety in the face of disaster recovery

 

You can plan for it. You can train for it. You can create as many systems designed to prevent it as you want, but at the end of the day disasters still occur and they happen when people least expect them.

Whether it’s a natural disaster that knocks a data centre offline or a cyber attack that ravages critical systems, there’s no shortage of damage that can happen to a business during this time.

As British Airways (BA) continues to recover from its recent disastrous IT failure, an inquest will hope to uncover why BA’s disaster recovery (DR) plan didn’t whir into action.

>See also: GDPR compliance: what organisations need to know

According to recent reports, it is thought that one team was frantically trying to restore the original system while elsewhere another team was attempting to fire up the backup. End result – the market value of BA’s owner, IAG, fell by £170 million after the computer systems failure.

It’s imperative to have a comprehensive DR plan in place to ensure your business is properly prepared to cope with any disaster that comes along, in order to get back up and running as soon as possible.

On the 25th of May 2018, the EU General Data Protection Regulation (GDPR) comes into effect. This will bring changes to data protection law that affect anyone selling or monitoring data within the EU and holding customer data.

These changes must be complied with – failure to do so could lead to fines of 4% of turnover or €20million, whichever is greater. There is also the spectre of reputational damage stemming from any sort of data theft.

GDPR – how does it relate to DR?

GDPR covers the requirement to have adequate DR provisions in place in order to comply, as outlined in article 32(1):

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.

>See also: GDPR: the good, the not so bad and the opportunities

(a) the pseudonymisation and encryption of personal data;
=> Article: 4
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

All companies handling customer data should therefore have an adequate DR solution that can restore both the availability and access to personal data.

In addition to your live system, your DR system will also need to meet GDPR compliance. Seeing as your DR provider is obtaining, holding and retrieving data, they will be considered a ‘data processor’.

If your DR provider is non-compliant it could render you non-compliant with the accompanying threat of financial punishment. It is therefore critical that any DR provider (either your existing provider or one you are considering) meets GDPR compliance.

>See also: What are US companies’ view on GDPR?

To manage any necessary changes, it will be mandatory for businesses of over 250 employees to appoint a Data Protection Officer (DPO).

The role of the DPO will encompass such things as, educating the company and employees on important compliance requirements, training staff involved in data processing and maintaining comprehensive records of all data processing activities conducted by the company, including all processing activities, which must be made public on request

Get prepared

So, with less than a year to go before GDPR comes into effect, you should be assessing your DR plans now to ensure that they meet compliance criteria. Let us consider some relevant areas as outlined below:

• Will customer data be accessible and available in a timely manner? Simply keeping a backup of the data will not be good enough – it needs to be available for user access (i.e. on working systems) to comply. What are the Service Level Agreements (SLAs) around this and how are these SLAs guaranteed?

 • Are DR providers ISO27001 certified? Many of the ISO27001 policies are in line with GDPR policies that concern process e.g. staff training, auditing and reviews of policies. If you are ISO27001 compliant but your DR provider isn’t then your ISO27001 may be null and void.

• Where is the data held? You need to be wary about transferring data outside of the EU otherwise it needs to meet the conditions of chapter 5 of the GDPR. Chapter 5 covers the transfer of personal data to third countries of international organisations.

• Do they have data breach processes in place? Data controllers are required to report breaches within 72 hours. What processes does your DR provider have in place in order to report such breaches?

 • Can customer data in your DR system be controlled in line with regulations so that subjects can access, erase or amend their data? This requires backup data to be updated regularly in line with your live data.

• Does your DR provider offer regular testing and evaluation to ensure security of processing? Security covers the availability, integrity and confidentiality of processing.

Your DR provider should be able to clearly demonstrate that they test these aspects of your DR solution. Again, ISO27001 goes a long way to demonstrate most of these.

>See also: GDPR compliance – the real implications for businesses

• Is your DR provider a data processor? Have you clarified under contractual agreement whether your DR provider is a data processor or a data controller?

It is particularly important to know the difference in situations such as a data breach where it will be necessary to determine which organisation has data protection responsibility. The ICO offers a guide to help you understand the difference between a data controller and a data processor.

• Do you have a data sharing agreement with your DR provider? This should cover how the data can be used and whether it can be further disclosed. Refer to the ICO data sharing practice for further details.

• Is your DR provider GDPR certified? Certification via appropriate certification bodies will be encouraged to demonstrate compliance, as outlined in the GDPR regulation.

>See also: One year to GDPR: guide to compliance

It is never too early to start planning for GDPR. British Airways showed recently how badly a large organisation can get DR wrong and under GRPR regulations that could have resulted in a significant fine.

Punitive financial penalties aside, the long term scarring for brand reputation should not be underestimated. Do your research now and make sure your disaster recovery plans are GDPR compliant.

Plan B’s comprehensive guide to GDPR and DR compliance can be found here

 

Sourced by Ian Daly, director, Plan B

 

The UK’s largest conference for tech leadershipTech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...