GDPR and Your Backups
An important part of being GDPR-compliant is ensuring that the data you have is adequately protected. This either means ensuring it is kept behind locked doors or taken off-site. It is expected of any good business that backups are taken offsite, away from the building in which your equipment and data are held – normally your offices – in an encrypted format.
Minimum good practice for business system data back-ups is that you take your data off-site, or at least away from the building that your servers or main equipment is located. This would allow you, in the event of a fire or other complete loss of your systems, to be able to restore your data to replacement hardware – and be back in business.
Windows Backup To Disc/Tape
However, if you are relying on Windows back-up to an external tape or drive, which you then take off site, then you will be taking unencrypted data off-site!
What Are Your Choices?
You could keep the backup tapes/drives on-site and store them in a computer fire safe. This approach for this particular element of your information security is GDPR compliant. However, you need to be aware that fire safes do not guarantee to protect your tapes or drives indefinitely – an intense conflagration or one of long duration may render your back-ups useless. It may also be that the emergency services do not let you into your building anyway, due to structural issues after a fire, so even if the back-ups do survive you still may not be able to access them. So, not taking your backup drives or tapes off-site is a risk.
Alternatively, you could move to a new backup solution that does follow best practice by keeping a back-up locally, and another encrypted copy in the cloud. The other major benefit of this approach is that you will not need to change drives at all and therefore negate the risk of overwriting good back-ups with bad ones.
Encryption is an important part of data security
There are a number of solutions that are currently in use that do enable you to use encryption – however, this can have impacts in terms of the size of the back-up (encryption uses greater disk space and therefore the back-up solution may be too small for the size of the encrypted files) or the back-up simply takes too long.
Encryption has a processing overhead which means that if your back-up is completing ‘just in time’ without impacting on your working day it may begin to overrun, hitting the performance of your equipment and making it difficult or even impossible to work on your systems.
Make Your Business Safer And Upgrade Your Backups
If your backup disks or tapes are too small to handle the new volume of data, or indeed there isn’t enough disk space on your server to prepare your back-up to move it to the backup media then you can invest in new hardware and/or tapes/drives.
If you are impacted by the back-up taking longer and impinging on your working day then you may be able to shorten the backup time by backing up less.
Alternatively, it will be worth looking at new backup solutions that do this all for you in a far smarter way.
Unfortunately, if you are using any of the outdated solutions touched on above then a decision has to be made to ensure that you are GDPR compliant– talk to us about how you can mitigate your risks and make your life easier in the process.
Got any questions? Get in touch with Neuways below.