Launched in May, the European Union's General Data Protection Regulation has caused many organizations to increase their focus on the data processing and security aspects that the regulation mandates. But what about those processes that concern GDPR and disaster recovery?
In general, the GDPR says nothing about disaster recovery. But if a disaster impacts an organization's ability to meet the mandates of GDPR, hefty fines can result.
So, what types of disasters should an organization watch out for? Let's cover a few scenarios.
Ransomware. If an organization suffers a devastating ransomware attack, it has no ability to address GDPR-related requests -- let alone ensure safeguards are in place.
External attack. One of the tactics by threat actors is to establish persistence through tasks such as creating multiple accounts and granting elevated access to them. Because GDPR requires organizations to implement and maintain reasonable safeguards, the ability to recover the environment back to a known-good secure state is necessary.
Service outage. Article 32 of GDPR ("Security of processing") states that there needs to be an "ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident."
Planning your GDPR and disaster recovery strategy
So, what steps should you take to ensure your GDPR and disaster recovery strategy is sufficient?
- Identify systems and applications that either contain or process GDPR-protected data.
- Review the current recovery point objectives and recovery time objectives for those systems and applications, scrutinizing whether the recovery outcome defined by the objectives reasonably meets the intended spirit of the GDPR text mentioned above.
- Define a recovery plan that restores service availability, working backward to back up definitions that can meet the recovery need.
If necessary, you may need to rethink your backup strategy. For example, to meet the recovery requirements, certain systems may need to switch from regular backups to using virtual replication to facilitate near-real-time service availability.
Like most regulations, GDPR isn't specific in its execution. In many ways, this helps your position when working with GDPR and disaster recovery. Instead of having to jump through technical hoops to meet a requirement from potentially halfway around the world, you can instead take sensible steps to make a best-effort attempt.