Picture the scene: the charismatic ‘one-club’ local hero, the aging warhorse in his final season, sat on the bench waiting for one last great hurrah. Then the call comes; an injury to the star player means the veteran is needed.
He stands up then realizes he’s forgot to pack his trainers, or even to get changed – so much for an effective backup.
Yet in the world of business, an increasing amount of vital data reserves are not fit for purpose. Certainly from a GDPR perspective, any backed up data runs the risk of not being fully prepared – or compliant.
All of which can leave the team short, and compromise your chances of future glory.
Backup is essential to ensuring your business data is always available where and when it’s needed – that’s why many companies regularly perform the action as part of their day-to-day IT activities.
The challenge represented by the GDPR regulations however, is to ensure the process doesn’t violate the rights of the ‘data subject’. To do this, and to achieve total coverage, requires the introduction of appropriate technical and organizational measures.
Think of what happens when a person orders a pair of shoes online:
Sounds simple, and indeed it is. Complexity only enters the picture when you consider what happens next to the data. That’s because the company selling the shoes now has the responsibility of keeping this data up-to-date in their database – as well as in the database of the shipping company that made the delivery.
What’s more, because a work address was provided, the data quality has the potential to quickly decay – and will do so the moment the person changes jobs. All of which points to a sizeable task, but one that’s relatively easy to accomplish with your current database.
But what of the data being backed up?
Technically it’s not possible to remove data from a backup file. Try to do that and you run the risk of compromising the data. In fact, you can only restore a backup – which means the data will become visible again. Do that and you’re seen as having processed the data, and in doing so, you’ve possibly violated the rights of the data subject.
Which brings us back to “appropriate organizational measures”.
In order to comply with GDPR organizations need to document – in as detailed a manner as possible – their policies and procedures for handling the personal data. Included in this is the ability to demonstrate that this data will in no way be restored into the production system.
Another question to answer is: how long will you need to keep a backup of your data? With GDPR it’s most likely that companies will become increasingly strict in retaining data for only as long as necessary – to support operations and legal obligations.
At the same time, there should also be increased vigor in deleting inaccurate data. This, of course, places the spotlight on the measures being taken to keep the data accurate in the first place!
To return to the case of the shoe retailer, they could approach such a task by asking customers to login to their website to amend any incorrect data. As long as this request is easy for each customer to complete, it should help ‘catch’ any errors – and provide a simple way for them to revoke their consent.
Other options include:
Keeping your backup data compliant and ready for action, has become a more complex and delicate process with the advent of GDPR. But with careful planning and the introduction of effective policies, it can quickly be mastered – and provide a few additional business benefits along the way.