GDPR: Backup and Retention Strategies

MSPs and IT providers should actively engage their customers about their backup strategy and the potential impact it may have on readiness for the EU General Data Protection Regulation (GDPR). GDPR’s focus on data protection means you and your customer may need to shift the way you architect data and how you need to back things up, and set sound retention policies, including the ability to facilitate any data subject requests. It’s important to have these conversations before the law comes into effect in May.

Here are a few topics that can open the discussion and potentially lead to a better, more compliant solution. This article is written with the assumption that you are processing EU personal data.

1. Are you needlessly backing up “dead data”?

Many organizations run daily full system backups as a best practice, but unless the backup is intelligent enough to determine files that are no longer required (such as applied Windows update files), the system could be backing up data that is no longer needed. Another area of concern is when various shared drives on the server contain a multitude of non-critical files. Both of these things may result in unnecessary usage of time, bandwidth, and storage. For larger multi-server environments, there may be an opportunity to run a number of automated clean-up processes to maximize backup efficiency and reduce the size of your daily backups.

2. Can you improve the backup process?

Even in 2018, many businesses rely heavily on humans to participate in the backup process. Some businesses may demand an employee insert a tape or take the backup media home with them as an “offsite backup.” Unless the backup program encrypts the data—please be aware that native Windows backup is neither encrypted, nor compressed—this puts you and your customer at a potentially huge risk of exposing personal data if the backups are lost or stolen. If this occurs, and you are the controller of such data, you may have to report it under GDPR.  Both you and your customer may face fines. The most elegant solution is a local, encrypted backup combined with a hosted backup that encrypts the data both in transit and at rest.

3. How will you facilitate a GDPR data subject access request with your backups?

One of the key rights of data subjects is they can request access to their data at any time. Obviously, if you lose their data or cannot access it, fulfilling an access request will be impossible. Please note, data subjects have additional rights, such as erasure, portability, etc., in regard to their data.  While we only address the right to access here, you should also consider these other rights when establishing your [backup systems].

Facilitating a data subject access request is perhaps one of the larger concerns of backup programs in use today. Certain file types in certain locations and certain databases may contain personal data. For example, Outlook PST files located on workstations usually contain an abundance of personal data. In addition, employee payroll databases, customer relationship management systems, accounting and billing applications, and customer-facing system log files all need to be considered in light of the subject access rights of GDPR.

To fulfill requests, you must put some thought into how a customer’s data backups should be structured so you can facilitate access requests. An access request may be fairly easy to facilitate by using third-party search tools on live systems. However, if the search could be disruptive to business operations, you may need to conduct it against a backup or virtualized host.

Consider the following areas where personal data is likely to be found:

• Billing Database—Since this is a business record of financial transactions, you may need to retain everything for seven or more years. The billing database backup retention period should be disclosed to the customer and aligned with regulatory or governmental requirements.
• Tech Support Database—The transactions in the database may be able to be provided upon a subject access request. However, you may still need to retain the data in the backups for a period of time. You should disclose your retention periods for tech support data to the customer.
• Marketing Database—The marketing database backup retention period should be disclosed to the customer. The retention period should be shortened to facilitate the timely removal of the data subject’s information.
• Email Correspondence—It may be an arduous process to review and access all emails with the data subject’s information and to redact personal data of other data subjects’ from email correspondence in order to promptly respond to this request.

Clearly, different data backup retention strategies overwrite policies, and differential backup configurations will play a vital role in determining what information is backed up, how it gets backed up, and how long the backup is retained. MSPs and IT providers will need to work closely with their customers to determine the right backup strategy utilized and the right backup retention policy to be able to meet data subject requests under GDPR.

For even more on GDPR, click here to visit our GDPR resource center 

 

This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how the EU General Data Protection Regulation (GDPR) may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information.