GDPR, or General Data Protection Regulation, is a phrase that has become quite popular lately. No surprise there – it is hard not to get interested when you hear about fines which can go up to €20 million or 4% of a company’s annual revenue. Although it is legislation which is introduced by the European Parliament and it concerns personal data of EU residents, it applies to businesses all around the globe. But you probably know that already. What you might not know is that businesses have to review the way they secure and back up their data to comply with the GDPR. But before I get to that, here is some general information on GDPR.
Quick GDPR overview
GDPR is an EU regulation that becomes enforceable as of May 25, 2018. As it is not a directive, national governments do not have to pass any additional legislation. In other words, it applies directly to personal data of all EU citizens and the companies which gather and use that information. Local regulations may also be passed by EU countries but they will not change the basic concepts of the GDPR.
But what is this GDPR all about? It is a privacy protection regulation. Some of the most important points of this regulation are:
- Risk-based approach to personal data protection – companies have to identify and assess risks concerning personal data. In addition, organizations need to adopt security measures adequate to these risks.
- Companies which store any kind of personal data need to protect it against loss and leakage. Article 32 of GDPR states that organizations need to take technical measures to ensure access to personal data in a timely manner. In case of an accident, there needs to be a way to restore lost data. That is where backup proves extremely useful.
- Privacy by design and privacy by default – which means that issues connected to privacy need to be addressed while designing new services and that only the data which is required is collected.
- The right to be forgotten (Right to Erasure) and the right to data portability – new rights of data subjects.
Many people ask “how can an EU law be legally binding for e.g. US-located businesses?” Well, even if you have a small company selling T-shirts, you might have a client from Europe. There is no way to sell products or provide services without collecting some PII. If you have any information about people located in the EU, the GDPR is triggered, and you have to be compliant. You might be skeptical about the global reach of some law introduced in Europe. The feelings were quite similar when CASL (Canada Anti-Spam Legislation) was introduced. The fines for breaking this regulation were imposed on businesses outside Canada then. The difference between CASL and GDPR is that GDPR introduces changes on an even larger scale.
In other words, the only situation in which GDPR does not apply to a company is when the company is located outside the EU and does not process any personal data of EU citizens.
One of the ways to secure important data is to backup emails and documents which include that information. But how to verify if a backup solution helps you achieve GDPR compliance?
What is a GDPR-compliant backup?
Although data backups are not mentioned ‘per se’ in the regulation, there are some points which apply to backups of personal data your company stores:
- The whole Chapter 5 of GDPR is devoted to transfer of data to third countries. There are very strict policies in action if personal data leaves the EU. It does not mean that data cannot be transferred to other countries. You have to make sure that you know where the personal information goes and if its target location is safe. This aspect of GDPR means that, for example, if you use cloud services to backup sensitive data, you need to know where the servers are located. The best solution is to use cloud services which offer you to choose a geo location, or use a soluton which stores data locally.
- Ensure a level of security appropriate to the risk. 32 GDPR states that if a company stores personal data, it needs to implement measures to protect personal information. Although there are different interpretations of what specific security measures should be used, the most important point is that data, especially Sensitive Personal Data, needs to be secure. There are obvious measures, like data encryption and protection against hacker attacks, but it also includes backup. If you want to store and secure Office 365 data, having a local backup is a good practice. When you store elements locally, you are completely independent of any third parties. Moreover, you have access to all personal data at all times.
- GDPR requires organizations to ensure that personal data can be restored in a timely manner in the event of an incident. It means that backup of personal data is a must. At the same time, you need to ensure that your backup solution does not increase the risk of a personal data breach.
Take emails, for example – most professional correspondence is based on email messages. Emails can be easily encrypted and are likely to remain the backbone of secure communication. But it also means that they are used to transfer personal information. Most companies store a tremendous amount of data in their emails. That is data that needs to be backed up. Using cloud backup solutions does not always mean staying compliant with the strict policies introduced by GDPR. It is especially true if you do not have control over where your data stored and what happens to it when you discontinue the service. If you choose a cloud-based services, be sure to choose trusted providers.
It’s a good practice to back up emails and to store them locally. Unfortunately, good old PST files may not be sufficient for this purpose – on their own they do not offer any way of encryption, and they tend to get corrupted, especially as they grow bigger. Also, restoring specific information from PST files might not fit in the term of „a timely manner,” as searching through PST files is a laborious task. If you are looking for a GDPR-compliant backup solution for Office 365, I have a solid proposition for you.
A GDPR-compliant backup solution for Office 365
Office 365 offers some options to archive data and restore deleted content. However, there is no native option to back up items to a separate storage. That is why using third party tools might be necessary in order to comply with the strictest data security policies.
CodeTwo Backup for Office 365 gives you a chance to automatically secure your Office 365 emails (from Exchange Online) in a local storage. A local storage means that you do not have to worry about personal data leaving the country. All sensitive information remains in your hands, without any third party involvement. Storages can be encrypted and secured with a password, offering you a high level of security against attacks from both outside and inside of the company.
Another great thing about this backup tool is that you can access and restore all of your data at any time. You are not dependent on any third-party services. To cap it all, searching for specific information in the storages is quick and the emails you find can be restored to any mailbox you choose. It comes in handy no matter if the data loss was accidental, or purposeful.