X

GDPR and Data Storage

In a recent blog post, we reviewed the main terms and definitions in the upcoming General Data Protection Regulation (GDPR). For those of you who do not yet know about these new  EU compliance regulations, please refer to our GDPR Overview.

GDPR brings several major data management requirements  for all businesses that deal with data of EU citizens, including businesses that do not operate in the European Union, but process or store data of any person from the EU.

In today’s article, we will focus on GDPR compliant data storage.

GDPR and Data Management

Being GDPR compliant means that you may have to revise your data management and data storage policies. Here is what you need to know.

Data should be located in the EU

Personal data that is associated with EU citizens should be processed and stored within EU borders. In other words, if you use Amazon S3 for storing backups and your primary storage is located in the US, you should move all data that falls under the GDPR to EU-based Amazon storage. However, further in the article we will explain how you may be able to bypass this requirement.

You Should be able to Find, Recover, Change, and Delete Data Fast

You should be able to search, change or delete data on demand. The so called “right to be forgotten” means that you should delete any personal data associated with a user as soon as possible by any request from the subject of personal data. You should also be ready to give the subject a full list of personal data that you process or store, as well as the legal basis for storing the data in the first place.

The ability to delete data will also help in case you, as a data controller, terminate a contract with a processor. In that case, all data should be removed from the cloud and the processor should provide sufficient proof that data is deleted. Note: If you do need more information on the differences between “data controller” and “data processor”, refer to our overview of GDPR terms.

GDPR makes it problematic, and maybe impossible, to store backups on tape. Anyone who has dealt with data backups on tape should know how hard would it be to find, change, delete or recover data of the given user on demand. We recommend you start moving your archives from tape to cloud archive storage (for example, Amazon Glacier, Google Cloud Coldline, Microsoft Azure Archive Storage).

The Note: The “Right to be Forgotten” can be postponed for as long as you have a legal right and consent to process or store personal data. In other words, if you have a legal agreement between you and a subject of personal data that you will store personal data for 5 years, and the subject demands to delete his/her personal data, you can perform the deletion after 5 years. These actions may need to be defended in front of a legal authority and you should be able to prove your legal right to store and process the personal data.

Prevent any Data Breaches at All Costs

The key point of the upcoming GDPR compliance is data safety. GDPR does not state directly how you should protect data and the exact retention policies (unlike HIPAA, for example). Under GDPR, you should take all necessary precautions to prevent a possible breach and store data as long as it is legally compliant.

Basically, it means that you define the needed retention for different types of data in your contract with users and data processors.

You should pay attention to:

  • Data encryption. By encrypting data, you make unauthorized access more difficult. However, keep in mind that even the name of files can be a matter of issue in a data breach. As an example, you encrypt the contents of a file, but the file name itself reveals personal information, like a name or account number. You might want to encrypt filenames as well, but you’ll still be required to find the data, delete and change it under “Right to be Forgotten”
  • If a data breach has occurred, you should contact the authorities within 72 hours. You should also contact all subjects affected by the data breach. If all leaked files had their filenames encrypted and you are sure that no subjects are affected, you only need to contact the authorities.

Note: You should notify the affected subjects of a data breach where the data could potentially cause harm to the information security of the given subject.

Backup Compliance with CloudBerry

CloudBerry Backup has a number of features that can help your company achieve and maintain compliance.  

Flexible Storage Location Control for Compliance

CloudBerry Backup supports more than 30 cloud storage vendors; many that manage data centers in all regions around the globe, including the EU. . Selecting one of these cloud storage vendors makes it easy to migrate EU data from cloud storage outside the EU to cloud storage within the EU. If you need to change storage vendors to one that helps you be GDPR compliant, CloudBerry Backup makes that easy as well.

Note: You do not necessarily need to re-upload all the data and move your storage location. If the user has given “explicit permission” to store and process data abroad,  you are GDPR compliant. That “explicit permission” could be added to your terms of service agreement.   

Encryption to Protect Data

CloudBerry Backup supports a few different types of encryption:

  • Encryption of the contents of files with customer-controlled encryption keys
  • Server-side-encryption to encrypt the data at rest (if supported by the cloud storage vendor)
  • Filename encryption for local and cloud storage (if supported by the cloud storage vendor)
  • Secure, encrypted connections between CloudBerry Backup and cloud storage

Using these options makes access to the underlying data nearly impossible in a data breach.

Ransomware Protection to Protect your Backups

Ransomware is one of the most severe threats to data safety today. A ransomware attack on files can lead to corruption of cloud backups, which is considered a data breach in GDPR.

In CloudBerry Backup v.5.8 we introduced ransomware protection. That feature monitors file backups to see which files have been changed through encryption. If found, these encrypted files will not overwrite your good  backups, ensuring that you have a recovery point even in the case of a malware attack.

Search Data Inside Backups to Quickly Delete

Whenever the subject of personal data opts to exercise their “right to be forgotten” or demands all personal information that you store be deleted, you can use the search feature in CloudBerry Backup to find files and folders that need to be targeted for deletion.  Keep in mind, that to stay compliant you should always know where and how the personal data is stored. You should first perform an informational audit of all data processes that can fall under GDPR compliance.

Denis G :