GDPR Readiness and Backups
An important part of being ready for GDPR is ensuring that the data you have is adequately protected, either behind locked doors or if you take data off-site it should be encrypted – this means if found it cannot (easily) be read and misused.
Minimum good practice for business system data back-ups is that you take your data off-site, or at least away from the building that your servers or main equipment is located. This would allow you, in the event of a fire or other complete loss of your systems, to be able to restore your data to replacement hardware – and be back in business.
Windows Backup to disk/tape
However, if you are relying on Windows back-up to an external tape or drive, which you then take off site, then you will be taking unencrypted data off-site!
What are the choices?
You could keep the backup tapes/drives on-site and store them in a computer fire safe – this will mean that you will be GDPR ready (for this element, at least). However, you need to be aware that fire safes do not guarantee to protect your tapes or drives indefinitely – an intense conflagration or one of long duration may render your back-ups useless. It may also be that the emergency services do not let you into your building anyway, due to structural issues after a fire, so even if the back-ups do survive you still may not be able to access them. So, not taking your backup drives or tapes off-site is a risk.
Alternatively, you could move to a new backup solution that does follow best practice by keeping a back-up locally and one, encrypted, in the cloud. The other major benefit to this approach is that you will not be needing to change drives at all and therefore negate the risk of overwriting good back-ups with bad ones.
Encryption ‘possible’ solutions to disk/tape
There are a number of solutions that are currently in use that do have the capability of having encryption enabled – however, this can have impacts in terms of the size of the back-up (encryption uses greater disk space and therefore the back-up solution may be too small for the size of the encrypted files) or the back-up simply takes too long – encryption has a processing overhead which means that if your back-up is completing ‘just in time’ without impacting on your working day it may begin to overrun hitting the performance of your equipment and making it difficult or even impossible to work on your systems.
What are the choices?
If your backup disks or tapes are too small to handle the new volume of data, or indeed there isn’t enough disk space on your server to prepare your back-up to move it to the backup media then you can invest in new hardware and/or tapes/drives.
If you are impacted by the back-up taking longer and impinging on your working day then you may be able to shorten the backup time by backing up less.
Alternatively, it will be worth looking at new backup solutions that do this all for you in a far smarter way.
Unfortunately, if you are using any of the solutions outlined above then a decision has to be made to ensure that you are GDPR ready – talk to us about how you can mitigate your risks and, perhaps, make your life easier in the process.