GDPR compliance: is your Disaster Recovery provider putting you at risk?

If your Disaster Recovery (DR) provider isn’t compliant with the new General Data Protection Regulations (GDPR), it could render you non-compliant, too. This blog lists seven critical areas where your provider must be compliant so you avoid the wrath of the ICO next year,

GDPR breaches, once the new law comes into force on 25th May 2018, could cause considerable damage to all size of businesses and organisations. For serious violations, businesses risk fines of up to £15.8 million or four per cent of turnover (whichever is greater). For lesser incidents, they will be subject to a maximum fine of either £7.9 million or two per cent of their organisation’s global turnover (again, whichever is greater).

To put this in context, the £400,000 penalty the Information Commissioner’s Office (ICO) fined Talk Talk would translate into £59 million under GDPR next May. A sobering thought for businesses not yet addressing GDPR.

How is GDPR relevant to disaster recovery?

Businesses must have adequate DR provisions in place to comply with article 32(1) of the GDPR , to make sure their data is well managed, organised and protected. It states:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) The pseudonymisation and encryption of personal data

(b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

(c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

(d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisation measures for ensuring the security of the processing”

What does this mean? It means that every company that handles customer data (which is, basically, every company), should have an adequate DR solution that restores both the availability of and access to personal data. And because your DR provider is obtaining, holding and retrieving data, they are a ‘data processor’. If they are non-compliant it could render you non-compliant. So, it’s critical that they are compliant.

GDPR compliance: seven critical questions to ask your DR provide

1. Will my customer data be accessible and available in a timely manner?

Under GDPR, it isn’t enough simply to have data backed up. To be compliant, users need to be able to access it on working systems. Make sure you’re aware of your providers SLAs around accessibility and availability, as well as if they’re guaranteed. We’d recommend testing that your DR solution meets these SLAs.

2. Is your DR provider ISO 27001:2013 certified?

Many of the ISO 27001:2013 (for information security management) policies are in line with GDPR policies.  For example, around process such as security, staff training, auditing and review of policies. If you are ISO 27001:2013 compliant but your DR provider isn’t, your ISO may become void.

3. Where is my data held?

Be wary of transferring data outside the EU or – come Brexit – the UK. Last year, Microsoft opened their first three data centres in the UK, much to the joy of highly regulated UK businesses, medical bodies and the government, for example.

4. Does your DR provider have data breach processes in place?

Under the new regulations, your data processor must report breaches to the ICO within 72 hours.

5. Can subjects access, erase or amend their data in line with regulations?

This requires backup data to be updated regularly in line with your live data, and meet security protocols for if/when the DR system steps in as the live system at a time of disaster.

6. Does your DR provider offer regular testing and evaluation for secure processing?

Your DR provider should be able to clearly demonstrate that they test the availability, integrity and confidentiality of data processing within your DR solution. ISO 27001:2013 will demonstrate most of these.

With Microsoft’s cloud DR solution, Azure Site Recovery, users can access it on-demand, allowing them to test DR much more easily, securely and cost-effectively. Businesses no longer need suffer downtime by having to shut down primary servers to test your DR. Instead you get immediate access to limitless public cloud capacity, so you can test your DR in an isolated environment whenever you like.

7. Have you clarified in your contract whether your DR provider is a data processor or data controller?

It’s sensible to clarify whether your DR provider is a data processor or data controller in advance, rather than wait until a data breach has occurred. This way, you’ll be clear of who’s responsible for what, avoiding any confusion during a time of crisis.

If you’d like to find out more about how Azure site recovery can help prepare your business for GDPR, or for other GDPR/compliance solutions and certification, our GDPR consultants can help.