{"id":5814,"date":"2018-04-26T23:57:49","date_gmt":"2018-04-26T22:57:49","guid":{"rendered":"https:\/\/www.n-able.com\/?p=5814"},"modified":"2021-07-09T15:34:54","modified_gmt":"2021-07-09T14:34:54","slug":"gdpr-backup-and-retention-strategies","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/pt-br\/blog\/gdpr-backup-and-retention-strategies","title":{"rendered":"GDPR: Backup and Retention Strategies"},"content":{"rendered":"

MSPs and IT providers should actively engage their customers about their backup strategy and the potential impact it may have on readiness for the EU General Data Protection Regulation (GDPR). GDPR\u2019s focus on data protection means you and your customer may need to shift the way you architect data and how you need to back things up, and set sound retention policies, including the ability to facilitate any data subject requests. It\u2019s important to have these conversations before the law comes into effect in May.<\/p>\n

Here are a few topics that can open the discussion and potentially lead to a better, more compliant solution. This article is written with the assumption that you are processing EU personal data.<\/p>\n

1. Are you needlessly backing up \u201cdead data\u201d?<\/strong><\/p>\n

Many organizations run daily full system backups as a best practice, but unless the backup is intelligent enough to determine files that are no longer required (such as applied Windows update files), the system could be backing up data that is no longer needed. Another area of concern is when various shared drives on the server contain a multitude of non-critical files. Both of these things may result in unnecessary usage of time, bandwidth, and storage. For larger multi-server environments, there may be an opportunity to run a number of automated clean-up processes to maximize backup efficiency and reduce the size of your daily backups.<\/p>\n

2. Can you improve the backup process?<\/strong><\/p>\n

Even in 2018, many businesses rely heavily on humans to participate in the backup process. Some businesses may demand an employee insert a tape or take the backup media home with them as an \u201coffsite backup.\u201d Unless the backup program encrypts the data\u2014please be aware that native Windows backup is neither encrypted, nor compressed\u2014this puts you and your customer at a potentially huge risk of exposing personal data if the backups are lost or stolen. If this occurs, and you are the controller of such data, you may have to report it under GDPR.\u00a0 Both you and your customer may face fines. The most elegant solution is a local, encrypted backup combined with a hosted backup that encrypts the data both in transit and at rest.<\/p>\n

3. How will you facilitate a GDPR data subject access request with your backups?<\/strong><\/p>\n

One of the key rights of data subjects is they can request access to their data at any time. Obviously, if you lose their data or cannot access it, fulfilling an access request will be impossible. Please note, data subjects have additional rights, such as erasure, portability, etc., in regard to their data.\u00a0 While we only address the right to access here, you should also consider these other rights when establishing your [backup systems].<\/p>\n

Facilitating a data subject access request is perhaps one of the larger concerns of backup programs in use today. Certain file types in certain locations and certain databases may contain personal data. For example, Outlook PST files located on workstations usually contain an abundance of personal data. In addition, employee payroll databases, customer relationship management systems, accounting and billing applications, and customer-facing system log files all need to be considered in light of the subject access rights of GDPR.<\/p>\n

To fulfill requests, you must put some thought into how a customer\u2019s data backups should be structured so you can facilitate access requests. An access request may be fairly easy to facilitate by using third-party search tools on live systems. However, if the search could be disruptive to business operations, you may need to conduct it against a backup or virtualized host.<\/p>\n

Consider the following areas where personal data is likely to be found:<\/p>\n