14 Dec 2017
BackupVault is one of the first and only UK-based cloud-storage providers to ensure full compliance with the imminent General Data Protection Regulation (GDPR).
GDPR is new EU legislation designed to give EU consumers easier access to the data UK-based businesses and organisations collect, and more control over how that data is used and shared.
It’s a long-overdue replacement for the Data Protection Directive that’s been in place since 1995, bearing in mind the sheer diversity and volume of personal data now controlled and processed.
Another important feature of GDPR is that it makes consumers’ consent to the gathering, storage, use and sharing of their personal data more ‘active’. In other words, instead of giving consent passively by not opting out, business and organisations will have to make consent a clear and informed opt in process. In this sense, it makes things clearer for consumers, and in some ways more accountable for what happens to their data. Accountability also applies to the controllers and processors, though, and they must be fully transparent about how they collect data and what they do with it – using clear and simple language in how they explain this.
So GDPR makes it much clearer what ‘personal data’ refers to, and encompasses much more than the directive it replaces. This is a reflection of how much has changed since 1995, and so online identifiers such as IP addresses now qualify as personal data, along with economic, cultural or mental health information. In short, businesses and organisations today collect, control and process a much wider range and higher volume of data, and GDPR seeks to ensure this data is not only more secure, but also safer, and more accessible, amendable and ‘deletable’ for consumers.
Cloud backups therefore make a lot of sense as part of an effective GDPR compliance strategy. Arguably, they’re the most effective way for controllers to deal with the greater emphasis GDPR places on meeting contractual obligations with processors, and ensuring compliance. Meanwhile, cloud storage and backups will make it far easier for processors, who must plan for maintaining records of all processing and use of personal data – and prepare for the increased legal liability for any data breach.
At best, ‘legacy’ backup methods such as disk or even tape-based backup make it time-consuming and difficult to locate, amend or delete personal data at consumers’ request. At worst, this won’t even be possible – at least not within the strict timeframes the new Regulation will enforce. With this in mind, secure cloud backups with a provider that fully understands the intricacies and implications of GDPR are perhaps the best preparation for its enforcement in May 2018.
Of course, having a robust disaster-recovery plan for any business-critical data is a fundamental IT requirement for any business. But with GDPR imminent, now is the time for businesses and organisations collecting EU consumer data to evaluate – and most likely improve – their disaster-recovery set-up. Losing data through human error or hardware failure can cause problems most businesses would prefer to not even think about, but controllers and processors’ liability will increase significantly when GDPR becomes fully enforceable. So, as with accessing, amending and deleting personal data on request as described above, disaster recovery under GDPR will be far easier and efficient with a cloud-based backup plan. In fact, a cloud-based strategy should help avert any such ‘disaster’ in the first place.
Let’s not forget that, while immensely useful for protecting data and making it more accessible and easier to manage, the cloud is still vulnerable. So simply migrating all your data to a cloud backup doesn’t wash your hands of any threat or responsibility. Businesses and organisations must not only continue to protect the data that remains in their own systems and hardware – perhaps through their own encryption and hardware backups – but also ask questions about how the personal data they entrust to a cloud provider is protected.
It’s important to remember that using cloud services effectively grants your provider access to the data you place in their care. Almost inevitably, one or more of their people will have access to the personal data you’re looking to safeguard. Meanwhile, the liability for the security of that data remains yours, and will only increase when GDPR becomes into full effect on 25 May 2018.
With GDPR imminent, it’s also crucial that businesses keep their own cloud access credentials secure. A cloud provider’s service might be excellent in itself, but if access credentials aren’t monitored and guarded properly, this can cause expensive and reputation-damaging security and data breaches. This is a strong argument for appointing a Data Protection Officer to oversee the policies and strategies that will support your GDPR compliance.
Encryption is a very useful tool for protecting data. While businesses and organisations can encrypt their own data before migrating to the cloud, as part of protecting against cyber attacks, a good cloud provider’s encryption will likely be more robust and up to date, and more effective in supporting GDPR compliance.
Significantly, encryption can be the difference between a security breach and a data breach. Under GDPR rules, a leak of encrypted data is considered unlikely to put people’s rights and freedoms at risk, so it won’t be mandatory to report it, and it therefore won’t incur the significant fines.
The General Data Protection Regulation became enforceable on 25 May 2018. We’ve covered the fundamentals here, but every business or organisation will have different needs and require a tailored response to GDPR.
If you haven’t already, it’s time to begin sourcing and implement the right strategies for GDPR compliance.
Find out more about GDPR and how BackupVault can help you.