The Importance of Disaster Recovery in GDPR Compliance

On May 25, 2018, the European Union (EU) officially implemented the widely discussed General Data Protection Regulation (GDPR). The act applies to any business that collects, stores, and processes confidential information belonging to European consumers. This would explain why the collective internet was recently bombarded with emails regarding privacy policy updates from nearly every website they've ever shared data with. The companies behind those sites recognize that the legislation is a huge deal with major business implications. Like most regulatory standards, the GDPR is chock full of legal speak and confusing jargon. However, the initiative can be summed up in three core objectives: data privacy, data protection, and data recovery. Each affects disaster recovery (DR) in a profound way.

1. Consumer Rights

Consumer privacy is one of the most hotly debated topics in the digital world. The EU emphasizes the importance of privacy by giving consumers more control of their data. Under the GDPR, EU citizens now have the right to access, modify, or delete personal information at any time. This component has a huge impact on how organizations manage, secure, and retain their data. At the very least, GDPR compliance means ensuring your DR solution permits a level of access that allows data to be purged, or freed up to move to another provide upon request.

2. Data Breach Protection

The GDPR mandates that organizations take various measures to protect personal data from security breaches. Article 4 of the act describes a breach as any incident that leads to the loss, deletion, modification, or unauthorized disclosure of data. This definition puts an interesting perspective on  security because a breach triggered by internal data handling mistakes can be just as damaging as those stemming from outside attacks. Further, the GPDR influences disaster response efforts by mandating that all breaches be reported to the Information Commissioner's Office (ICO) within 72 hours of the incident.

3. Recovery and Testing

Article 32 of the GDPR emphasizes two important requirements:

1. The ability to quickly restore data availability and access in the event of an incident
2. The ability to test and assess the effectiveness of data protection plans

Making weekly backups of your data is no longer enough. The GDPR requires you to make sure that data can be recovered in timely fashion and take documented steps to ensure the effectiveness of those efforts. Does staff know who to contact during a crisis? Does your response team know which systems and processes to restore first? Is your recovery site prepared to accommodate failover operations? Simply put, the GDPR gives DR testing an all new level of importance.

Third-Party Compliance

Whether it's working with a managed service provider or Disaster-as-a-Recovery (DRaaS) specialist, outsourcing is a cost-effective option for organizations that lack the resources to tackle disaster recovery in-house. According to the EU, any company that handles EU consumer data falls under the data processor category. The new regulations hold organizations and their third-party providers to the same standards. This essentially makes GDPR compliance one more qualification to consider for those looking to outside expertise for help.

Is It Too Late?

The deadline for GDPR compliance has come and gone. However, it is not too late to get your proverbial house in order. Contrary to all the scary media hype, simply missing the deadline doesn't automatically mean hefty fines are coming your way. According to the UK ICO (Information Commissioner's Office), maximum fines will be a last resort and only employed in the most extreme circumstances. With that said, time is of the essence. At the end of the day, the GDPR largely re-enforces measures that should be standard in any organization that manages sensitive consumer data. There is still an opportunity to educate and train your staff on the essentials. The sooner you incorporate GDPR compliance into your disaster recovery strategy, the sooner you can relax and focus on simply running your business.