I’m the opposite of a PR person.
As a Data Protection Officer, my job is to keep people out of the press. And as Data Protection laws continue to tighten with the application of the General Data Protection Regulation (GDPR), that job is getting a lot harder.
One of the biggest brainteasers that companies are battling with inside their GDPR project is what to do with backups. GDPR requires a full understanding of the data you hold whilst balancing the need to keep data secure and, at the same time, respecting the right to erasure and proactive deletion.
The first challenge here is actually knowing what data you have. You can’t protect it if you don’t have a clue where it is. Traditionally, backups have been a real pain for this since once the data is locked away inside a tape, it becomes incredibly difficult in the future to know what was in there. This is still the case in many non-physical backup systems in which you have a whole system snapshot but no way to interrogate what lies within. The simple answer to this conundrum is just stop. Stop making the problem harder for yourself, stop locking data away in difficult-to-find places, and instead start a whole new backup regime. Visibility is everything when it comes to security and data protection, so your backup toolset must give you search and interrogation tools to allow you to stay in control.
Article 32 of the GDPR states that you must provide “integrity, availability and resilience of processing systems,” which puts decent backups front and center of your enterprise IT strategy. But one of the issues with extensive backups is data retention policies and the need to proactively erase data as it reaches its end of life. It is important to remember that retention policies should be as tight as you can manage, keeping only the specific bits of data you need at any one time. But often you don’t have a choice. A great example of this is the world of database backups, where some backup products do not enable assignment of retention policies at the granular database level. So, if one database contains regulatory financial records and another contains transient user data, you’re forced into keeping both for the same amount of time.
Don’t be held hostage by incumbent ways of doing things. They hurt our ability to truly protect data. What we need are tools that deliver granular control over how we’re backing up our data. Just locking away everything for seven years because it “feels about right” isn’t good enough anymore.
As we rethink our backup strategy, we’re given the opportunity to assess why we’re backing up in the first place. Is it for resilience? If so, why keep a CRM backup for 2 years if the oldest data we’d ever restore it from is 3 months? Is the backup for retaining snapshots to meet regulatory compliance? If so, an annual end-of-financial-year backup might be all that is required if needed for future evidence. The larger your data repository, the larger your protection surface area and the larger your problem. When it comes to data protection, less is more. Don’t keep more data than you need.
And finally, we have the thorny issue of the right to erasure, also known as the right to be forgotten. The GDPR allows EU individuals to request their personal data be erased from data controllers that process it. And many companies are worried about how this clashes with the need to keep backups, which are largely uneditable.
The good news here is that the right to erasure is much more limited than people realise. A data subject only has the “right to be forgotten” if one of the grounds specified in Article 17 of the GDPR exists, such as where the personal data is no longer necessary to the controller in relation to the purposes for which the data was collected or otherwise processed. Reasons that can override the requestor’s rights include the freedom of expression, legal requirements, public interest, historical archiving, the defense of legal claims, and significant legitimate interest. For instance, an employee couldn’t demand that their employer delete their payroll information to avoid paying tax or a professional athlete couldn’t demand a TV news channel delete a video of their poor performance on the track.
But some data will indeed need to be erased if requested, such as information associated with a social media account. And for the GDPR, this needs to be performed “without undue delay.” In the case of one of the largest social networks, they keep a rolling 90-day backup of all data. So, if you request your account to be deleted, the live system will be cleansed within days. But for backups, they wait until your data “ages out” of the backup retention period. This 90 days is probably a “fair” amount of time to hold onto your data, but the longer you keep backups, the harder it is to argue fairness. Having a tight control of your backup strategy helps you here.
Whilst the GDPR may appear ambiguous and unhelpful, my general recommendation is to focus on its simple intent – respect people’s data. If you’re keeping it safe, using it only for lawful purposes, being transparent about how you use it, and keeping it for no longer than necessary, then you’ll be on your way to demonstrating a good level of compliance with the regulation.
To learn more about the impact of these new regulations, read GDPR: Beyond the Hype.