Soon to come, the world of IT data and compliance to customer data and data retention will never be the same. Beginning on May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect for all European Union citizens. The directive empowers all EU citizens with the right to data privacy and individual ownership to their own data privacy. This affects all organizations processing personal data of data subjects residing in the European Union, regardless of the company location. Let’s take a further looking into the various aspects of GDPR and how this affects organizations retaining data as well data protection solution backups of data covered in this new directive.
GDPR Data Subject Rights
Under the new GDPR regulations, individuals under the protection of GDPR will be entitled to the following rights:
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers
With the Breach Notification initiative, notification of any breach containing data subject information is mandatory. The company must make the breach known within a 72-hour window of time from the point the breach was discovered. Any data processors will also need to notify customers of the data breach.
The Right to Access portion of GDPR allows data subjects the right to obtain confirmation from an organization if their information is being processed and for what purpose. If confirmed, the processor must provide an electronic copy of the information in particular without cost to the individual data subject. This is to ensure transparency to data subjects of any personal information being processed.
The Right to be Forgotten aspect of GDPR is the one that is perhaps the most interesting when it comes to data protection solutions. It is also known as “Data Erasure”. This entitles data subjects the right to have any processor of their data erase their personal data and stop using or processing their personal data including any disclosing of their personal information. When thinking about data protection and backups of business-critical systems, this is a very widely discussed portion of the new GDPR regulations as to how strictly companies will be required to adhere to this portion of GDPR when it comes to backups or archival backups of data.
Data Portability of GDPR allows any data subject the right to access their data and receive a copy of that data to transmit to any other controller.
With Privacy by Design, speaks directly to data protection from the initial design of information systems. Instead of adding these measures on at some point, organizations, must “implement appropriate technical and organizational measures…to meet the requirements…and protect the rights of data subjects.” This is included in Article 23 of the GDPR regulation and is referred to as “data minimalization”. Companies are advised only to hold onto only the data that is absolutely necessary to complete business duties. Also, limiting access to personal data of data subjects to only those needing access is required.
GDPR calls for the appointment of and mandatory appointment in some cases of Data Protection Officers under Article 37. In short, the Data Protection Officer is an enterprise security leadership role reporting to the highest levels of management. They oversee an organization’s data protection strategy and ensure the organization is in compliance with the GDPR requirements.
The maximum penalties for being out of compliance for organizations processing data of data subjects under the new GDPR are quite extensive. Organizations may be fined up to 4% of annual global turnover or £20m (whichever is the largest of the two). On lesser offenses, companies can be fined 2% under Article 28.
Choosing a Data Protection Solution Aligned with GDPR
There is no question about it, the new GDPR regulations will to some degree totally change the way organizations are thinking about how data is processed and importantly, how it is backed up and retained. Data Protection solutions used by organizations today are extremely important and allow acceptable RTO and RPO times in the event of disaster recovery. Companies want to choose a data protection solution that embraces GDPR and provides the technical means to meet all the GDPR objectives such as the following:
- Encryption of data subject data
- Retention and control of retention policies
- Monitoring of backups and backup data
- Replication of backup data
- Reporting
- Verification of Data
Encryption of backup data is an essential aspect of making sure customer data is not compromised. Backup Data contains production data. It is imperative that organizations utilize a backup solution that encrypts data both in-flight and at-rest.
Retention settings and policies are going to be increasingly important with the onset of GDPR. Organizations control the data that is retained by using retention policies. Having the means to control how long data is kept in a granular way will help organizations align those policies to meet GDPR regulations.
Having a solution that allows detailed monitoring of backups, replication, backup copies, and other data protection tasks allows organizations to have a transparent view of all data protection tasks. This allows companies to be proactive, knowing where backup data lives at all times and ensuring validity and consistency of those backups.
Having backup replicas of data protection data allows organizations to meet the needs of data portability as defined by GDPR and ensures redundancy. This allows protection of all data subject data defined by GDPR regulations.
Reporting on backup operations ties in closely with the monitoring aspect. Reporting gives complete visibility to backup operations and ensures data protection is carried out effectively. This ensures data subjects under GDPR protection have complete access to their data at all times.
Verification of data is essential to knowing in an absolute way the backup data is valid and useable. By utilizing a modern data protection solution that allows automatically verifying backup data, this takes the heavy lifting out of any manual processes needed to ensure backup data validity.
Vembu Provides Powerful GDPR Functionality
With the new GDPR regulations looming on the horizon, organizations need to take definite steps to make sure they are in compliance with the new regulations. This includes their data protection strategy. As mentioned above, there are several aspects of a truly GDPR compliant data protection solution. Vembu BDR Suite allows organizations to align themselves with the initiatives set forth by the new GDPR standard.
Vembu secures data with advanced AES 256 encryption standards. Utilizing the world class VembuHive file system, data is stored in such a way that allows effective compression and deduplication of data along with encryption. Vembu can also store data for up to 10 years and customize the restore versions. With Vembu BDR360, organizations have a centralized “single pane of glass” view of the backup environment where they can monitor and report on backup jobs and tasks. Utilizing Vembu BDR Suite, organizations also have a powerful tool to replicate data to a secondary datacenter or even to the Vembu cloud to make sure data is protected redundantly. Leveraging the built-in functionality that Vembu provides, organizations are empowered to meet and exceed the GDPR expectations set forth.
Concluding Thoughts
Organizations today who process any customer data of citizens located in the European Union MUST start considering the impacts of the new GDPR regulations that will take effect in May 2018. This includes considerations related to data protection and customer data located in data backups both on and offsite. Utilizing the powerful tools that Vembu BDR Suite provides organizations, they can meet and exceed the demands of GDPR compliance by leveraging the all-in-one solution that Vembu BDR Suite provides. Vembu has shown themselves ready to meet the compliance challenges of today and those of tomorrow.
Experience modern data protection with this latest Vembu BDR Suite v.3.8.0 FREE edition. Try the 30 days free trial here: https://www.bdrsuite.com/vembu-bdr-suite-download/
Got questions? Email us at: vembu-support@vembu.com for answers.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.