Picture the scene: the charismatic ‘one-club’ local hero, the aging warhorse in his final season, sat on the bench waiting for one last great hurrah. Then the call comes; an injury to the star player means the veteran is needed.

He stands up then realizes he’s forgot to pack his trainers, or even to get changed – so much for an effective backup.

Yet in the world of business, an increasing amount of vital data reserves are not fit for purpose. Certainly from a GDPR perspective, any backed up data runs the risk of not being fully prepared – or compliant.

All of which can leave the team short, and compromise your chances of future glory.

Technical and organizational measures

Backup is essential to ensuring your business data is always available where and when it’s needed – that’s why many companies regularly perform the action as part of their day-to-day IT activities.

The challenge represented by the GDPR regulations however, is to ensure the process doesn’t violate the rights of the ‘data subject’. To do this, and to achieve total coverage, requires the introduction of appropriate technical and organizational measures.

Should you be updating backed up data?

Think of what happens when a person orders a pair of shoes online:

  • Once the item is selected, most people will prefer the convenience of having their items shipped rather than collecting in person
  • They will input their address details
  • In many instances, this will actually be a work address to help guarantee that someone will be on hand to receive the goods during office hours

Sounds simple, and indeed it is. Complexity only enters the picture when you consider what happens next to the data. That’s because the company selling the shoes now has the responsibility of keeping this data up-to-date in their database – as well as in the database of the shipping company that made the delivery.

What’s more, because a work address was provided, the data quality has the potential to quickly decay – and will do so the moment the person changes jobs. All of which points to a sizeable task, but one that’s relatively easy to accomplish with your current database.

But what of the data being backed up?

Restoring data = processing data

Technically it’s not possible to remove data from a backup file. Try to do that and you run the risk of compromising the data. In fact, you can only restore a backup – which means the data will become visible again. Do that and you’re seen as having processed the data, and in doing so, you’ve possibly violated the rights of the data subject.

Which brings us back to “appropriate organizational measures”.

In order to comply with GDPR organizations need to document – in as detailed a manner as possible – their policies and procedures for handling the personal data. Included in this is the ability to demonstrate that this data will in no way be restored into the production system.

Constantly deleting data inaccuracies

Another question to answer is: how long will you need to keep a backup of your data? With GDPR it’s most likely that companies will become increasingly strict in retaining data for only as long as necessary – to support operations and legal obligations.

At the same time, there should also be increased vigor in deleting inaccurate data. This, of course, places the spotlight on the measures being taken to keep the data accurate in the first place!

To return to the case of the shoe retailer, they could approach such a task by asking customers to login to their website to amend any incorrect data. As long as this request is easy for each customer to complete, it should help ‘catch’ any errors – and provide a simple way for them to revoke their consent.

Exploring all possibilities

Other options include:

  • Implementing a review of the retained data every three months
  • Defining a policy that considers data older than three months to be potentially inaccurate and therefore not worth keeping
  • Using data logs to know which data is considered inaccurate
  • Keeping data with a short validity (e.g. shipping address, phone number etc.) separate from data that has to be retained for other legal requirements (e.g. invoices)

Take the next step to backup compliance

Keeping your backup data compliant and ready for action, has become a more complex and delicate process with the advent of GDPR. But with careful planning and the introduction of effective policies, it can quickly be mastered – and provide a few additional business benefits along the way.

Yes, we can

COMPAREX offers a number of backup and archiving solutions that help organizations stay compliant. Do you have any questions?

Stay Up-to-date

For regular updates and articles from us, click below to follow us:

 Follow us on LinkedIn

Related articles

3 methods to encrypt sensitive information and prevent data loss

GDPR offers a great opportunity for businesses to put in place the data encryption needed to secure their data. Our three suggestions help you consider every option Read the full article ...

Cloud security: how to stay in front of the GDPR

Every business has applications running in the cloud. But how secure are they? With the GDPR looming, it’s time to take back control of your information Read the full article ...

Contact Us

Peter Verbeeck

Peter Verbeeck

Solution Advisor

Share this article