Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • SolarWinds N-central Automate what you need. Tackle complex networks. Try this remote monitoring and management solution built to help maximize efficiency and scale.
    • SolarWinds RMM Start fast. Grow at your own pace. Try this powerful but simple remote monitoring and management solution.
    • SolarWinds EDR Defend against ransomware, zero-day attacks, and evolving online threats with Endpoint Detection and Response
    • SolarWinds Backup Manage data protection for servers, workstations applications, documents and Microsoft 365 from one SaaS dashboard.
    • Mail Protection & Archiving Protect users from email threats and downtime.
    • Password Management Easily adopt and demonstrate best practice password and documentation management workflows.
      • Passportal Demo
    • PSA & Ticketing Manage ticketing, reporting, and billing to increase helpdesk efficiency.
    • Remote Support Help support customers and their devices with remote support tools designed to be fast and powerful.
  • Solutions

    I'm looking for...

    • Security Solutions
    • Monitoring Solutions
    • Efficiency Solutions
  • Resources
    • Blog
    • Webcasts & Events
    • Ask the N-central Experts
    • Daily Live Demos
    • RMM Foundations Training
    • Upcoming Events
    • Upcoming Webcasts
    • Resource Center
    • COVID-19 Resources
    • Resource Library
      • Case Studies
      • Product Information
      • eBooks
      • White Papers
      • Infographics
    • SolarWinds MSP Free Tools
    • GDPR Resource Center
    • Security Resource Center
    • MSP Institute Webinar Series
    • MSP Advice Project
  • About
    • Contact
    • Customer Success
    • Worldwide sales and support
    • Careers
    • Awards and Recognition
    • Get A Quote
    • Newsroom
      • Press Releases
      • In The News
      • Media Contacts
      • COVID-19 Response
    • Leadership Team
    • Legal
      • Cookie Policy
      • Privacy Notice
      • Software Services Agreement
      • Terms of Use
      • Backup Fair Use Policy
    • Security
      • SolarWinds Security Statement
      • Vendor Data Protection Requirements
    • Support
  • IT Departments
  • Contact Sales
    • Get A Quote
    • General Inquiry
  • TRY NOW
    • SolarWinds RMM
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Passportal
    • SolarWinds N-central
    • SolarWinds Mail Assure
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business GDPR GDPR: Backup and Retention Strategies
GDPR

GDPR: Backup and Retention Strategies

By SolarWinds MSP
26 April, 2018

MSPs and IT providers should actively engage their customers about their backup strategy and the potential impact it may have on readiness for the EU General Data Protection Regulation (GDPR). GDPR’s focus on data protection means you and your customer may need to shift the way you architect data and how you need to back things up, and set sound retention policies, including the ability to facilitate any data subject requests. It’s important to have these conversations before the law comes into effect in May.

Here are a few topics that can open the discussion and potentially lead to a better, more compliant solution. This article is written with the assumption that you are processing EU personal data.

1. Are you needlessly backing up “dead data”?

Many organizations run daily full system backups as a best practice, but unless the backup is intelligent enough to determine files that are no longer required (such as applied Windows update files), the system could be backing up data that is no longer needed. Another area of concern is when various shared drives on the server contain a multitude of non-critical files. Both of these things may result in unnecessary usage of time, bandwidth, and storage. For larger multi-server environments, there may be an opportunity to run a number of automated clean-up processes to maximize backup efficiency and reduce the size of your daily backups.

2. Can you improve the backup process?

Even in 2018, many businesses rely heavily on humans to participate in the backup process. Some businesses may demand an employee insert a tape or take the backup media home with them as an “offsite backup.” Unless the backup program encrypts the data—please be aware that native Windows backup is neither encrypted, nor compressed—this puts you and your customer at a potentially huge risk of exposing personal data if the backups are lost or stolen. If this occurs, and you are the controller of such data, you may have to report it under GDPR.  Both you and your customer may face fines. The most elegant solution is a local, encrypted backup combined with a hosted backup that encrypts the data both in transit and at rest.

3. How will you facilitate a GDPR data subject access request with your backups?

One of the key rights of data subjects is they can request access to their data at any time. Obviously, if you lose their data or cannot access it, fulfilling an access request will be impossible. Please note, data subjects have additional rights, such as erasure, portability, etc., in regard to their data.  While we only address the right to access here, you should also consider these other rights when establishing your [backup systems].

Facilitating a data subject access request is perhaps one of the larger concerns of backup programs in use today. Certain file types in certain locations and certain databases may contain personal data. For example, Outlook PST files located on workstations usually contain an abundance of personal data. In addition, employee payroll databases, customer relationship management systems, accounting and billing applications, and customer-facing system log files all need to be considered in light of the subject access rights of GDPR. 

To fulfill requests, you must put some thought into how a customer’s data backups should be structured so you can facilitate access requests. An access request may be fairly easy to facilitate by using third-party search tools on live systems. However, if the search could be disruptive to business operations, you may need to conduct it against a backup or virtualized host.

Consider the following areas where personal data is likely to be found:

  • Billing Database—Since this is a business record of financial transactions, you may need to retain everything for seven or more years. The billing database backup retention period should be disclosed to the customer and aligned with regulatory or governmental requirements.
  • Tech Support Database—The transactions in the database may be able to be provided upon a subject access request. However, you may still need to retain the data in the backups for a period of time. You should disclose your retention periods for tech support data to the customer.
  • Marketing Database—The marketing database backup retention period should be disclosed to the customer. The retention period should be shortened to facilitate the timely removal of the data subject’s information. 
  • Email Correspondence—It may be an arduous process to review and access all emails with the data subject’s information and to redact personal data of other data subjects’ from email correspondence in order to promptly respond to this request. 

Clearly, different data backup retention strategies overwrite policies, and differential backup configurations will play a vital role in determining what information is backed up, how it gets backed up, and how long the backup is retained. MSPs and IT providers will need to work closely with their customers to determine the right backup strategy utilized and the right backup retention policy to be able to meet data subject requests under GDPR.  

 

Additional Reading:

  • Building GDPR Services: Why Onboarding (or Re-Onboarding) Is Critical
  • What Terms You Need to Know to Get Your Business GDPR-Ready 
  • GDPR—Meeting the 72-hour breach notification period
  • Protecting Web Applications in the World of GDPR
  • Identifying and Architecting Data for GDPR Success
  • GDPR—Quick Win Strategy 1: Deliver Customer Employee Security Training
  • GDPR—Quick-Win Strategy 2: Mail Protection and Application Whitelisting
  • GDPR—Quick-Win Strategy 3: Patch Management, Admin Rights Management, and Full-Disk Encryption
  • GDPR—Quick-Win Strategy 4: The “Easy Three” Endpoint Defense Services
  • Password Security: Central to GDPR Readiness

 

For even more on GDPR, click here to visit our GDPR resource center 

 

This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how the EU General Data Protection Regulation (GDPR) may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information. 

 

The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates.  All other trademarks are the property of their respective owners.

 

 

© 2018 SolarWinds MSP UK Ltd.  All rights reserved.

 

 

 

You might also like...
GDPR

GDPR—Meeting the 72-hour breach notification period

Security

January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be

Security

December 2020 Patch Tuesday—A quiet(er) finish to a busy year in vulnerabilities

Security

Documentation Management API and Why It’s Important for the MSP Business

Security

What Is FIPS-140-2 Standard and When Is It Required?

Security

Malware-as-a-Service: A Crucial Reason Why Security Has Grown More Complex

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
  • TAP Blog Series: Maximizing Your Service Delivery Opportunity
  • Why Do MSPs Choose SolarWinds Backup? IT Central Station Finds Out
  • Seven Features Remote Assistance Software Should Have
  • TAP Blog Series: Creating Your Automation Strategy—Three Key Components You Must Have in Place
Categories:
  • Security (229)
  • Tips & Advice (122)
  • Best Practices (94)
  • Managed Services (86)
  • Backup & Disaster Recovery (82)
  • Business Growth (75)
  • The Head Nerds (74)
  • IT Support (41)
  • Business (39)
  • Cybersecurity (37)
  • Automation (36)
  • Operations (33)
  • Mail (33)
  • Remote Management (27)
  • ITSM (25)
  • Data (21)
  • Cloud Computing (21)
  • Networking (21)
  • Marketing (14)
  • Product (11)
  • PSA (10)
  • Service Desk (4)
  • Services & Support (4)
  • Mobile (4)
  • Risk Intelligence (4)
  • Customer Service (3)
  • Internet of Things (3)
  • GDPR (2)
  • Research & Trends (2)
  • Training (2)
  • LOGICcards (1)
  • Business Risk (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.