Is GDPR valid for Backup?
The other day I met a Backup Vendor talking about GDPR (General Data Protection Regulation), we both know that GDPR is a hot topic and almost everyone is affected. One thing that surprised me was that they said backup was not affected by GDPR, I guess we disagree! What I can agree on is that backup has other criteria then active data.
GDPR is a topic for several organizations this year, and I think it´s important to clarify somethings. Let´s start with the basics..
Why are backup effected by GDPR? First, you do have a backup of your environment including the systems that are affected by GDPR.
So, if you for example face a situation that someone want to be forgotten in your systems, you will follow GDPR regulations in your active environment and, done! ..but, your data is still protected in your backup system. Depending or regulations, you have a shorter or longer retention time, still, the data is still there and the person who wanted to be forgotten is back in the loop at restore, to be identified.
One idea I heard was, let's keep track on who will need to be deleted so when we restore our database we just clean it again. But that mean you still keep data about that person.
Either way, it doesn´t matter how you solve yours restore process, backup will be affected by GDPR. This is important.
(Swedish) Example of news: https://www.idg.se/2.1085/1.688977/radera-backup-gdpr
(English) Another article: http://www.computerweekly.com/feature/GDPR-brings-serious-implications-for-data-storage
Are we doomed?
Of course not, this is a as a perfect moment to finally configure your backup environment properly. It´s time to remove your monthly, quarterly and yearly "backups" or snapshot etc. The reason, if you keep data or a long retention, with a son/father/grandfather method you must restore all data, then manually remove that GDPR affected data and then backup that data again.
An easier way is if you have a backup application that can index your files and you can then delete the record from all tapes, disks etc through your central database. Easy!
How to prepare my backup for GDPR?
Scenario 1 (database dump)
Make sure you protect all data properly, avoid using backup software on top of another. A typical example is when you create a database dump to a file and then back it up.
Scenario 2 (mixed data protection environments)
Another common version is that you are using one enterprise data protection application for daily physical and cloud-host backups, another backup application to protect your virtual environment (KVM, VMware, Hyper-V etc). Your VM data protection application will then tier to the Enterprise data protection system for longtime retention, years.
Both scenarios will create situations that will make it tricky to operate according to GDPR regulations.
Make sure you now configured everything correct so you keep control of all data and can delete the necessary files directly from your backup server instead of multiple places.
Another way that I know a few backup vendors are recommending is to save data for shorter time and use a proper archive solution for longer retention.
This can be a quick solution if your backup application is not or uncertain of compliance. At the same time feel a trend of shorter retentions, going from traditional 60-90 days to 10-30 day, probably 10.
Think encryption, your GDPR sensitive data we recommend to encrypt. Please have in mind that it will probably affect your data reduction functionality. When planning for encryption, you have two options, encrypt on your systems and backup or backup over an encrypted network and encrypt in you backup system. If using IBM Spectrum Protect, the first option makes the data safe all way but builds a lot of storage. The second one is safe as well and you can use the data reduction features in IBM Spectrum Protect.
We are happy to tell you more, please get in contact with us, we can help you scan your entire environment to find all data that is under GDPR regulations. We do advisory services regarding GDPR and we can help you optimize with IBM Spectrum Protect regarding it.
According to media and legal that I have talked to, they agree. Backup are affected, as long you can restore a person's data it will be part of it and backup data is part of your organizations infrastructure, and under your responsibility.