Physical and technological failures and glitches occur even in the best-maintained and most secure files. This is why the General Data Protection Regulation (GDPR) must have in place a plan to safeguard and restore data in personal files of EU citizens whenever a technical or physical incident occurs. But it also means that businesses that deal with EU citizens must also consider the security of their personal data files.
What are the GDPR Backup Requirements?
Several providers are anxious to provide backup services for GDPR data. In most cases, the data would be stored in the Cloud.
Providers chosen must adhere to GDPR regulations regarding data backup. Data would be organized in separate backup archives for each individual EU citizen. Thus additions and deletions could be made to a file without affecting others’ records.
Backup data files must be strongly encrypted to avoid hacking and use of the data.
What Does This Mean for Businesses?
Just as GDPR must have in place a plan for backing up its data, so too businesses must consider security of its personal data files.
Consider this: the Human Resources departments of businesses have employee personal data as well as data on clients and other companies. These records cannot be disclosed. To do so is an infringement of their rights and freedoms. If the records were hacked it could result in serious losses—financially and stature.
Businesses must review the data they hold, how it is used, and how it is stored. Moreover, they need to decide on how long it is retained and how it is deleted, destroyed, or removed.
As much of the employee and client data is communicated through email, a reassessment of internal and external communication needs to occur as the GDPR is implemented.
In short, Email security procedures must be re-examined. This may require new Internet control filter to become compliant with new GDPR regulations. These must prevent employees from accessing any websites which may harbour malware as well as any malicious URL sites and those conducting phishing attacks. Data disclosure has never been a more serious concern. Extreme pressure will be out on businesses to comply with GDPR rules.
Having a secure email archive plan is paramount. Basically a sound plan involves tools that copy email as it comes in or goes out and indexes it for quick, efficient retrieval. It is encrypted and the stored safely and securely. Access to and modifications of any email are also recorded.
Thus, employee and client data is protected from internal and external threats and data breaches
While GDPR data backup is deemed necessary, several groups argue that this backup infringes on their right to be “forgotten”. So a few questions regarding data backup remain:
How can the personal data of EU citizens be protected when it remains somewhere in the archives as backup data?
- How can data be minimized to retain only data that is required?
- How long is it reasonable for data to be retained in a backup file?
- Who makes decisions regarding the above questions?
Storage limitation is a reality. Thus GDPR must consider how and when to delete data.