Is a Disaster Recovery Solution Compulsory Under GDPR?

Is a Disaster Recovery Solution Compulsory Under GDPR?

Since it's announcement in 2012 the 25th May 2018 has been engraved into our conscious by CIOs and business leaders across the European Union. This date marks the beginning of the General Data Protection Regulation (GDPR) being enforced and if that date has no significance to you then where have you been!?!

GDPR is the new legislation that is going to revolutionise how businesses handle the data of EU citizens. GDPR is something we strongly recommend looking into as it will affect all businesses around the world. A great starting point would be to have a look at our blog series or even better download our GDPR handbook.

For those that are already up-to-date, in this blog, we look to address the compulsory need to have a disaster recovery plan under GDPR act.

The following comes directly from article 32 of the GDPR act;

Top 5 causes of data loss

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

From this, we can see that organisations are held responsible for their ability to recover lost personal data that they hold in a timely manner. In order to remain compliant, they must have the necessary backup and disaster recovery strategies in place and actively take the time to regularly test the integrity and the effectiveness of the solution.

Otherwise, your organisation could be looking to face heavy fines for failing to protect the data that you hold and monitor. This is the harsh reality that we are now living in, and we are now seeing more and more organisations falling victim to sophisticated ransomware and cyber attacks because they do not have the necessary backup and disaster recovery solutions in place.

Is your third-party provider compliant?

If you have decided to outsource your backup and disaster recovery solution you need to ensure that they are also compliant. Under GDPR anyone obtaining, handling or retrieving your data is considered as a 'data processor'.

A data sharing agreement is also vital to confirm how the data will/can be used along with a disclosure policy. This gives you reassurance that your DR provider has thought about GDPR.

Regular Testing of data backups

Any testing of your DR solutions must be documented in order for you to prove that your procedures are GDPR compliant. These need to be tested daily and must challenge the effectiveness of the chosen solution in regards to the recoverability of the systems, applications and data.

GDPR requires the data to be available at all times to the subject; therefore it is essential that the data gathered reflects the live data or the company. A good indicator that your chosen DR provider takes GDPR seriously would be a Cyber Essentials accreditation. This accreditation has been recommended by the Information commissioner herself as a way of identifying all areas of compliance.

Your disaster recovery solution.

Our hybrid disaster recovery and business continuity solution 5nines gives peace of mind to businesses of all sizes. 5nines provides you with a screenshot verification that proves your backups work and ensures you can be completely back up and running within 6 seconds.

ATG’s Business Continuity solution provides:

  • Risk assessment and planning
  • Ongoing data backups to ensure the safety and availability of your data
  • Fast recovery times and multi-site availability
  • Data encryption and storage in our very own off-site data centers
  • A professional protection plan to help boost your client’s trust
  • Reduced insurance premium costs
  • GDPR compliance

If this is of interest to you and you have a need for DR give us a call on 01527 570 535 and one of our Business Continuity experts will be in touch!

Alternatively, have a look at our Disaster Recovery and Business Continuity page to gain further insight into our product/service.