GDPR: guide to compliance

Note that this article is for informational purposes only. It is not intended to and should not be relied upon or construed as legal advice. You should not act or refrain from acting on the basis of any content in this article without seeking legal or other professional advice.

Read also:

• GDPR and backups: best practices
• GDPR and encryption

What’s GDPR?

The GDPR (General Data Protection Regulation) is a general regulation of European Union that will come into effect on May 25, 2018, and it’s going to affect every business operating in the EU or dealing with EU customers.

The GDPR expands the definition of what constitutes personal, private data to include not just financial, government and medical records, but also genetic, cultural, and social information.

Businesses must now gain the specific consent of an individual before using their personal data, and must also honor their “right to be forgotten”, to have all personal data held by the business to be deleted at the user’s request.

Definitions and roles

GDPR describes the following definitions and roles:

• Data subject: A citizen of the EU who is identifiable by their personal data.
• Controller: A business operating within the EU — or outside of the EU but dealing with EU residents — that captures sensitive data about EU residents in the course of its operations.
• Processor: A commercial business capturing sensitive data on EU individuals that acts as a contractor to a controller. Examples include businesses offering cloud services, storage or application hosting.
• Personal data: Any information relating to an identified or identifiable natural person. This is more broadly defined by the EU than other governments, and includes the EU citizen’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity, etc.
• Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Businesses must report every data breach incident to “the supervisory authority” within 72 hours of becoming aware of it.
• Right to be forgotten: The right of every EU citizen to have his or her personal data erased and no longer processed. The data must be deleted from backups too.

Key requirements of GDPR

The GDPR requires that personal data can only be kept for as long as it is required for the initial purpose and must be protected in accordance with the new rules.

According to the article 32, both the controller and the processor are required to implement appropriate technical and organisational measures to ensure data integrity and security, systems resilience and the ability to restore data quickly, including encryption or pseudonymisation. Backup procedures and technologies are clearly an indirect requirement of the regulation.

The GDPR focuses on the concept of accountability whereby businesses will have to “demonstrate” compliance with the principles relating to the protection of personal data. This will involve implementing more demonstrable processes and maintaining a proactive approach.

GDPR compliance and backups

It’s time to discuss how to ensure GDPR compliance and to talk about the role of backups in this framework. We suggest a 5-steps model to comply with the GPDR:

• Know your data and map their position
  The first step is about the analysis and identification of all the processes collecting and processing personal data, with the purpose to map where they are stored, in both company owned or third-party storage. This map will be included in the documentation.
• Regulate access to data
  Once the mapping has been completed, it’s important to check who has access to data and for what reason. The audit will allow you to identify critical spot and, also in this case, the information collected will be precious for the documentation. Don’t forget to consider the IT administrators and external partners.
• Protect the data
  The data protection must be ensured adopting any available system like anti-malware software, firewalls, security policy, training and, of course, maintaining backups. Uranium Backup allows you to protect all the personal data collected by your company because it can perform backups of files and folders, databases, virtual machines, system images and Exchange mailboxes. Check this page to discover the best practices for a GDPR compliant backup strategy.
• Documentation
  The GPDR requires controllers and owners to demonstrate the application of adequate measures to protect personal data, so, having an extensive documentation about security processes and measures, is extremely important. We also need to remember to report data breaches within 72 hours since the discovery and the right to be forgotten, that includes backups.
• Staying up-to-date, always
  Companies are living organisms, always evolving and the same is for the context where they compete. In order to ensure a meaningful personal data protection it’s required a pro-active approach, a passive one is simply not enough. Being aware about new technologies and threats is a requirement to react and adapt.