GDPR and Disaster Recovery

You plan for it and you implement resilient systems to prevent it, but at the end of the day disasters will still occur and they happen when you least expect them. Whether it’s a natural disaster that knocks out data centre or a cyber-attack that impacts critical systems, there’s no shortage of damage that can happen to your business following serious incidents.

British Airways (BA) continues to recover from its recent large-scale IT failure and an inquest hopes to uncover why BA’s disaster recovery (DR) plan didn’t save the day. According recent reports, it is believed that one team was frantically trying to restore the original system while elsewhere another team was attempting to fire up the backup. The net result was that the market value IAG (BA’s owner) fell by £170 million following the failure.

It’s imperative to have a comprehensive, and tested, DR plan in place to ensure your business is fully prepared to deal with any disaster that comes along and get back up and running as soon as possible.

On the 25th of May 2018, the EU General Data Protection Regulation (GDPR) comes into effect. This will bring changes to data protection law that affect anyone selling or monitoring data within the EU and holding customer data. These changes must be complied with and failure to do so could lead to fines of 4% of turnover or €20million, whichever is greater.

How Does GDPR Relate to DR?

The requirement to have adequate DR provisions in place is outlined in GDPR article 32(1):

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.

 (a) the pseudonymisation and encryption of personal data;
=> Article: 4
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

So, all companies handling customer data should have an adequate DR solution that can restore both the availability and access to personal data. In addition to your live system, your DR system will also need to meet GDPR compliance. Seeing as your DR provider is obtaining, holding and retrieving data, they will be considered a ‘data processor’.

<h2>Be Prepared</h2>

With less than 6 months to go before GDPR comes into effect, you should be assessing your DR plans now to ensure that they meet compliance criteria. Let us consider some relevant areas as outlined below:

Will customer data be accessible and available in a timely manner? Simply keeping a backup of the data will not be good enough – it needs to be available for user access (i.e. on working systems) to comply. What are the Service Level Agreements (SLAs) around this and how are these SLAs guaranteed?

Are DR providers ISO27001 certified? Many of the ISO27001 policies are in line with GDPR policies that concern process e.g. staff training, auditing and reviews of policies.

Where is the data held? You need to be wary about transferring data outside of the EU otherwise it needs to meet the conditions of chapter 5 of the GDPR. Chapter 5 covers the transfer of personal data to third countries of international organisations.

Do they have data breach processes in place? Data controllers are required to report breaches within 72 hours. What processes does your DR provider have in place in order to report such breaches?

Can customer data in your DR system be controlled in line with regulations so that subjects can access, erase or amend their data? This requires backup data to be updated regularly in line with your live data.

Does your DR provider offer regular testing and evaluation to ensure security of processing? Security covers the availability, integrity and confidentiality of processing. Your DR provider should be able to clearly demonstrate that they test these aspects of your DR solution. Again, ISO27001 goes a long way to demonstrate most of these.

Is your DR provider a data processor? Have you clarified under contractual agreement whether your DR provider is a data processor or a data controller?

Do you have a data sharing agreement with your DR provider? This should cover how the data can be used and whether it can be further disclosed. Refer to the ICO data sharing practice for further details.

Is your DR provider GDPR certified? Certification via appropriate certification bodies will be encouraged to demonstrate compliance, as outlined in the GDPR regulation.

Punitive financial penalties aside, the long-term damage to brand reputation should not be underestimated. Do your research now and make sure your disaster recovery plans are GDPR compliant.

 

Leave a comment