Security

How to protect your data from disaster and be GDPR compliant | Storm Internet

10 May 2018

By fishtank

- 4 mins read

The Data Protection Regulation (GDPR) is coming into force soon and will shift the legal landscape within the EU. There are a variety of changes that are going to take place and failing to grasp them could lead to terrible consequences, financial and otherwise. Many businesses are already lining up resources to adapt to the new regulatory climate. They obviously want to avoid paying any fines that can amount to 4% of turnover or €20 million, whichever is greater. So taking proactive measures to protect your data and ensure general GDPR compliance is essential.

New rules of the game

As you probably know, EU GDPR is coming into effect on 25th May 2018. The new rules apply to disaster recovery (DR) systems of anyone selling, holding, or monitoring data within the territory of the union. In a nutshell, GDPR prescribes that controller and the processor must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…” [1] Processor is the provider obtaining, holding, or retrieving data.

Now, regardless of whether companies use in-house DR framework or run systems via an external provider, some things will need to be handled differently. A provider that is non-compliant can render the business organization non-compliant too. Therefore, for extra safety, under a contractual agreement, organizations should specify whether the DR povider is a data processor or a data controller. This due diligence helps to distinguish which organization has primary data protection responsibility.

Shape up or ship out

There is no doubt that playing by the rules is the only way to go. In other words, one has to establish a system for security, availability, recovery, and testing of the IT infrastructure. This also entails disaster recovery that preserves confidentiality and integrity of consumer’s information. British Airways for example, demonstrated that even large corporations can make grave mistakes regarding DR and endure great financial losses because of it.
Recent developments have shown that encryption of private data plays a vital role in securing integrity, confidentiality, and resilience of processing systems and services. Furthermore, GDPR implies that businesses must be able to restore personal data in the wake of all kinds of natural disasters or technical failures. Restoration in this sense involves both the reclamation of availability and access to personal data.

As for the term “disaster”, it refers both to natural occurrences like floods and tornadoes, as well as man-launched threats such as hacker attacks. Both things can ravage crucial IT systems and often one cannot prevent them in the first place. Mitigating the risk is the best way to deal with it. For example, data breach processes are integral to disaster protection. One of the related GDPR requirements is reporting data breaches within 72 hours they take place.

A solid action plan

All in all, businesses are encouraged to put a comprehensive disaster recovery plan in place. Simply keeping a backup of all data is not sufficient, although one of the guidelines is to update it along with live data. Namely, data needs to be available for user access, for instance, on working systems. What is more, users should be able to erase or amend their data should they wish to do so.

Another requirement is that companies of over 250 employees appoint a Data Protection Officer (DPO). This position includes responsibilities such as educating employees on compliance requirements, training staff in DR, and maintaining records of all data processing activities performed by the company. These records must be made public on request by an appropriate governing body.

There are some specific rules imposed on enterprises that are transferring data outside of the EU. They need to be careful because these actions must meet the conditions outlined in Chapter 5 of the GDPR. This segment covers the transmission of personal data to countries outside the Union and international organizations. The final piece of the compliance puzzle comes in the form of regular testing and evaluation of disaster recovery and protection measures.

Better safe than sorry

Disaster recovery is an integral part of the upcoming GDPR. The financial ramifications are just one of the negative effects that non-compliance can have. Namely, business organizations are also at risk of losing consumer trust and tarnishing reputation. So, stay on the safe side and meet compliance criteria. It is more important than ever to cover all the IT bases. Keep up the pace with rising standards, shield against any legal repercussions, and cope with any disaster that comes along. Produce a sound DR plan, hope for the best, but prepare for the worst.

[1] Article 32(1) of the GDPR

Storm Security Centre

Concerned about data security and the GDPR? Our new look Intelligent Hosting Security Centre is now live and ready to start protecting your sites, servers and apps, whether you host with Storm or not.

With new features that continuously evolve to tackle the latest digital threats, we estimate that our Intelligent Hosting Security Centre could save you up to £860/month versus consultant or DIY costs.

Storm’s Intelligent Hosting Security Centre delivers: