GDPR and backups: best practices

Note that this article is for informational purposes only. It is not intended to and should not be relied upon or construed as legal advice. You should not act or refrain from acting on the basis of any content in this article without seeking legal or other professional advice.

Read also:

According to the article 32 of the GDPR, both the controller and the processor are required to implement appropriate technical and organisational measures to ensure data integrity and security, systems resilience and the ability to restore data quickly, including encryption or pseudonymisation.

Backup procedures and technologies are clearly a key step for the compliance.

Uranium Backup allows you to protect all the personal data collected by your company, thanks to the ability to perform backups of files and folders, databases, virtual machines, system images and Exchange mailboxes. For a complete GDPR compliance, we suggest to follow these best practices:

  1. Perform backups of all the collected sensitive data and of the key systems of your infrastructure following the 3-2-1 rule: at least 3 backups per each data, on at least 2 different systems, of which 1 must be off-site. Take advantage of the FTPS/SFTP and cloud backup capabilities of Uranium Backup. It supports Microsoft OneDrive and AzureGoogle DriveAmazon S3 and Dropbox, all of which are GDPR-compliant.
  2. Use Uranium Backup’s retention functionalities: we suggest to maintain backups allowing to restore data of the last 14 days.
  3. For your virtual machines, we suggest to adopt a combination of backups and replicas, in order to ensure good backup retention and lower your restore time near to 0.
  4. Encrypt all the backup destination using available technologies or, if not available, adopt the AES 256-bit encryption offered by Uranium Backup. We prepared a guide to encryption to make your job easier.
  5. Take advantage of the Uranium service and its ability to run under a specific user to protect the backups: use ACL permissions to lock backups and forbid ransomware to encrypt them.
  6. Check your backups using email notifications or adopting Supremo Console.
  7. Periodically perform integrity and restore tests.