Compliance issues are becoming more pressing matters when it comes to data backup. Here are some key things to think about to ensure your processes meet requirements.
Strong backup and recovery processes have always been an essential part of any prudent business' strategy, but there are now stronger reasons than ever for keeping on top of this area. In an environment where privacy and security are being made top priorities by both customers and regulators, compliance laws surrounding the backup of sensitive data are becoming ever more stringent.
One of the biggest changes in data protection laws is the EU's General Data Protection Regulation (GDPR), which came into force on May 25th and brought with it a huge number of changed and tightened rules stipulating how businesses must take care of personal data - be this the information of customers or employees.
With many other regulatory bodies also tightening their rules on data protection, it pays to keep compliance at the forefront of your mind. Here are a few key areas to consider.
1. Where's your data?
Traditional methods for backups would typically see data copied to a tape, hard drive or other physical media, which is then moved to a secure offsite location. But increasingly, this is becoming impractical for business, so solutions such as cloud backup are taking over. However, this can bring its own issues as, unlike with older methods, this may mean businesses have less control over exactly where their data resides.
This can cause serious compliance issues if data is held in a jurisdiction with differing privacy and security laws, so it's vital that firms know exactly where their data will be stored. Ideally, it should be held in the same legal environment as the primary databases, as this will reduce conflicts, so be sure to find out from any third-party backup providers where their servers are physically located.
2. Backup early, backup often
Regulations such as GDPR give citizens the right to know exactly what data businesses have on them, which means this information must be keep accurate and up-to-date. If you're only backing up this data on a weekly or even monthly basis, this could therefore leave your company as risk of breaching compliance rules if, for any reason, you end up having to rely on these backups.
Therefore, it's important to reassess your approach to backup frequency and, where possible, ensure data covered by their regulations is given an especially high priority. Modern cloud systems make this much easier than older physical-based media, so there's no excuse in today's environment for failing to keep up-to-date records in your backup systems.
3. Testing, testing, testing
One of the best ways to demonstrate that your business is in compliance with regulations - in any area, not just backups - is a frequent, well-documented testing program that can prove to authorities you are keeping up with issues and are applying new rules to your operations.
As such, it's a good idea to conduct backup and disaster recovery tests as often as possible. Yet many firms don't currently do this. A 2017 study by Kroll Ontrack, for instance, found almost a quarter of businesses (24 per cent) never test their backup procedures, while 14 per cent only do so once a year. In today's environment, this is nowhere near enough. And of course, a regular testing schedule isn't just good for compliance - Kroll Ontrack found a quarter of firms that experienced data loss reported that their backup failed to work properly
4. Don't forget the right to be forgotten
One new regulation that will be particularly important to firms around the world is Article 17 of the GDPR, which details a person's "right to be forgotten" - or to have their data deleted once it is no longer relevant. This right has already been upheld by European courts in relation to areas such as Google's search results, but all citizens in the EU are now entitled to ask any company to delete their data.
This may be complex when it comes to backup, as it may not be feasible or even possible to remove individual records from backup servers, though if old data automatically expires as part of a company's standard retention schedule, this may fulfil any regulatory requirements. Therefore, businesses need to start thinking about how long they really need to keep their backups for, and when they need to turn to other solutions such as archiving.
Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals. To view more IT content, click here.