General Data Protection Regulation (GDPR) compliance considerations for backup and storage infrastructure

Acronis Cyber Protect
formerly Acronis Cyber Backup

Businesses and public institutions based in the European Union (EU) have doubtless heard by now about the General Data Protection Regulation (GDPR), a new body of privacy regulations that goes into effect on 25 May 2018.

What may not be immediately obvious to parties based outside of the EU is that this new regulatory regime applies to all companies worldwide that trade in the EU and deal with EU customers online. If you have customers or partners that operate within the EU’s borders, you need to learn about GDPR today, and start taking steps quickly to bring your business into compliance with it, or face heavy economic penalties that could adversely affect your company’s ability to profitability conduct business there.

GDPR’s focus is on protecting the individual privacy rights of EU citizens, and compared to previous EU privacy legislation greatly expands the definition of what constitutes personal, private data to include not just financial, government and medical records, but also genetic, cultural, and social information. Businesses must now gain the explicit consent of an individual before using their personal data, and must also honor their “right to be forgotten”, i.e., to have all personal data held by the business to be deleted at the user’s request.

Businesses must also meet a number of new requirements to demonstrate their ongoing compliance with GDPR, appointing one individual responsible for the company’s GDPR issues (the so-called “Data Protection Officer”), reporting on any and all data breach incidents, and storing personal data within the physical confines of the EU. The latter reflects the EU’s concerns that countries outside the EU do not have similarly high standards for the data privacy of individual citizens, and that data stored outside the EU is at greater risk of surveillance by government intelligence agencies and criminal actors.

Understanding GDPR Through the Lens of Sarbannes-Oxley (SOX)

For IT professionals of a certain age, the challenges presented by GDPR compliance may be reminiscent of the USA’s Sarbanes-Oxley Act (SOX) from the early 2000s. Like GDPR, SOX was a strict new regulatory regime imposed on all types and sizes of companies. Although it was imposed unilaterally by the United States for businesses operating within its borders, it represented such a huge market that companies around the world were affected. Like the EU with GDPR, the US created an aggressive timeline for compliance and enforced its regulations with hefty fines. And just as GDPR is doing now, SOX created a lot of confusion and anxiety among the businesses under its scrutiny, particularly around the costs of compliance.

In other respects, IT professionals in 2017 and 2018 have it easier than their early-21st-century counterparts. For instance, businesses have access to better technology today to support reporting requirements, proving to authorities that they have the requisite policies, controls and procedures in place to support GDPR compliance. Governance, risk management and compliance (GRC) control frameworks have evolved significantly over the last decade, as has the discipline of policy lifecycle management. Thanks in part to regulations like SOX the 1995 EU Data Protection Directive, companies have a better handle on privacy impact assessment and data access governance. Greatly improved, more automated tools for data breach monitoring, reporting and mitigation are now available.

But the world has also evolved since the days of SOX in ways that complicate GDPR compliance. Data storage has increased massively in speed, volume, diversity of media (including cloud storage) and complexity.

GDPR compliance has implications for privacy impact assessment, data access governance, and data breach notification and resolution, topics which we will not address here. This paper instead focuses on GDPR compliance specifically as it relates to the secure storage and protection of active data, including data archiving and deletion.

GDPR General Terminology

To understand GDPR as it relates to data storage and data protection, it is useful to understand the following basic terminology:

  • Data subject A citizen of the EU who is identifiable by their personal data. This may include a consumer making an online purchase, a patient of a healthcare system, a citizen accessing online government services, a user of social media applications: any individual providing personal information to use some service
  • Controller A business operating within the EU — or outside of the EU but dealing with EU residents — that captures sensitive data about EU residents in the course of its operations. Examples include: a business accepting online orders, addressees, and payment card information from consumers; a healthcare provider that maintains patient records. (See below for help in determining whether your business functions as a processor or a controller.)
  • Processor A commercial business like a cloud service provider that acts as a contractor to a controller, i.e., another business serving EU citizens that captures sensitive data on individuals. Examples include application hosters, storage providers, and providers of cloud services like backup
  • Personal data “Any information relating to an identified or identifiable natural person.” This is more broadly defined by the EU than other governments, and includes the EU citizen’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity, etc.
  • Right to be forgotten The right of every EU citizen “to have his or her personal data erased and no longer processed.” Individuals may request the deletion of all of their personal data stored on a controller’s servers. There remains some ambiguity on this particular issue. Does a request to be forgotten also require removal of data from backups (problematic in serial backup media like tape)? What happens when a right to be forgotten request conflicts with a business’s data retention policies for archiving and legal purposes?
  • Personal data breach “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Businesses must report every data breach incident to “the supervisory authority” within 72 hours of becoming aware of it.

Identifying Your Place in the GDPR Hierarchy

In order to understand your obligations under GDPR, you must first determine whether your business functions as a controller or as a processor by considering these three questions:

  1. 1 Do you keep or process any of the personal data of EU residents?
  2. 2 Do you decide which specific items of personal data are going to be stored?
  3. 3 Do you decide how to use the personal data that is stored under your control?

If you answer yes to Question 1 only, you function only as a processor in the GDPR framework. If you answer yes to Questions 1, 2 and 3, you are a controller.

As a controller or process that must make your storage and data protection of personal data GDPR compliant, you will also have to consider the following questions:

  1. Can you pinpoint, specify and control the physical location of the storage of any personal data under your control? This is especially important if you use or provide cloud-based data protection and/or storage, where personal data has the potential to be spread across multiple physical locations in data centers around the world, including outside of the EU.
  2. How are you structuring the personal data you are storing? Choices in data format have implications for your ability to read, modify and delete specific items of personal data at the request of users. Data structures that support fast, efficient searching will be of particular value in supporting these requests at scale.

Understanding Privacy Protection Failures

Your ability to attest to the privacy, integrity, accessibility, and erasure of personal data relies in part on your ability to protect against and recover from failures in data storage, backup and recovery. These failures fall into three distinct categories:

  • Device failures — the physical failure of any storage hardware component, including disk drives, storage controllers, and data centers. Examples include: a hard disk drive accidentally exposed to magnetic field, resulting in its partial erasure.
  • Logical or soft failures — failures due to human errors, Examples include: the accidental deletion or overwriting of files in the course of executing a backup procedure, accidental file data corruption due to a bug or error in a script or business application; accidental deletion of a hard drive’s master boot record.
  • Security breaches — failures due to forceful, malicious attacks on IT infrastructure, including networks, servers, applications and endpoints, including those by malicious insiders, online criminals, and hostile state actors. Example include: a ransomware attack that applies unbreakable encryption to contents of a hard drive and demands an online payment in return for the decryption key.

Supporting Data Subject Requirements for Control of Their Personal Data

In addition to protecting against various types of data protection failures, and reporting to EU authorities when breaches occur, controllers have a number of obligations to the users whose personal data they are storing. Controllers must support the ability of users to:

  • Access, read and edit their personal data
  • Easily delete their personal data, either directly or with a simple request to you
  • Export their personal data in an easily-readable format

Complying with user requests may not always be simple. For example, it is easy to address clear-cut requests like, “Delete my mailbox and its entire contents”, not so easy to comply with more complex or ambiguous requests, like “Delete all my comments in this online forum.”

Broader GDPR Requirements for Data Protection and Storage

Businesses that function as processors have additional obligations they must meet. Including:

  • Offer sufficient guarantees that their services meets GDPR technical and organizational requirements
  • Eschew the use of subcontractors to support service contracts between the processor and their clients (controllers) without the express consent of the controller
  • On termination of a service contract, remove all data from their cloud and/or data center infrastructure, and provide sufficient proof that they have done so
  • Report data breach incidents to the regulatory body.

The EU is serious about enforcing compliance, wielding the threat of painful financial penalties for businesses that cannot demonstrate their compliance or are caught in clear violation of GDPR rules protecting user privacy. For example, failing to maintain written records, to implement various technical and organizational measures, and/or to appoint a Data Protection Officer can cost the offending business a fine of €10 million or 2% of annual global revenue (whichever is greater). Suffering a data breach or committing a violation of data subject’s rights, e.g., losing or deleting their data without permission, can incur even stiffer fines of €20 million or 4% of annual global revenue (whichever is greater).

Broadly speaking, to achieve GDPR compliance in the areas of data storage and data protection (backup), processors and controllers should seek infrastructure and services solutions that meet the following technical requirements:

  • Data subject control of personal data storage location. You must be able to honor the wishes of the individuals whose data you control or process as to where their personal data is stored: on-premises and/or in a specific EU-based data center.
  • Data encryption. You must provide strong encryption of any personal data located on your endpoints as well as in transit over your local- and wide-area networks and in the cloud. The encryption process should be entirely automated, with the data subject as the sole holder of the decryption key.
  • Data search inside backups. You should be able to search backups at a granular level, making it easy to find required information on behalf of data subjects.
  • Ability to modify personal data. You should be able to easily copy, modify and delete personal data at the request of data subjects.
  • Data export in a common format. You should be able to export personal data in a common and easily usable format (e.g., ZIP archives)
  • Quick data recovery. You should be able to restore personal data quickly from backups in the event of a storage device failure, software or operator error, or security breach (e.g., a ransomware attack)

Likewise, processors and controllers should consider the following GDPR rules when choosing storage and data protection infrastructure and services:

  • Cross-border data transfers. Any transfer outside the borders of the EU must be transparent and secure. Service providers must be able to specify the locations where personal data is stored at the specific request of data subjects.
  • Breach notification. In the event of data breach, a processor must be able to notify controllers and customers of any risks within 72 hours.
  • Right to access. Backup and storage must support the rights of data subjects to obtain information from controllers as to whether their personal data is being processed. Controller must be able to provide a copy of data free of charge. Backup files must be available to data subjects 24/7. Personal data in a backup or storage account must be deletable by or at the request of the data subject.
  • Right to be forgotten. When data is no longer relevant to its original purpose, data subjects must be able to demand that a controller erase their personal data on request.
  • Data portability. Data subjects must be able to obtain and reuse their personal data for their own purposes by transferring it across different IT environments. This requires the ability to download personal data in an easily-portable format.
  • Data Protection Officers. One employee who owns ultimate responsibility for GDPR compliance, known as the Data Protection Officer, must be designated in any public authority or large organizations (of 250 employees or more).
  • Privacy by design. Controllers and processors must implement appropriate technical and organizational measures, such as pseudonymization, that are designed to implement data protection principles.

Conclusion

The 25 May 2018 deadline for GDPR compliance is looming, and the penalties for non-compliance are significant, but every business, institution and service provider that serves EU citizens can take steps now to prepare for it. Start by recognizing how GDPR strengthens and broadens the definition of individual privacy rights versus previous privacy regimes like the 195 Data Protection Directive. Get comfortable with the new terminology created by GDPR to understand your place in the framework. And start attacking the compliance challenge in ways that are significant to personal data privacy protection and well within your span of control, like moving to improve your data protection and storage infrastructure and services to accommodate its new requirements.

For further information, see:

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.