June 6, 2018
Disaster Recovery and GDPR

By Ashley Neely

The General Data Protection Regulation (GDPR), which became effective on May 25, 2018, is an overhaul of the European’s data protection rules. It was passed in an attempt to keep up with the creation of huge amounts of personal data, and alters how businesses handle the information of their customers.

The GDPR has two primary goals:

  1. Provide citizens and residents with control over their personal data
  2. Harmonize the regulatory environment for international business by unifying the regulation within the EU, so that any business that holds personal data of EU citizens is accountable under the GDPR. Because GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.

Companies and individuals found non-compliant are subject to fines of up to 20 million euros (approximately $23.5 million) or 4 percent of a company’s total worldwide annual turnover of the preceding financial year—whichever is higher.

Learn what your IT team needs to know about ensuring GDPR compliance for your disaster recovery (DR) solution below.

GDPR Implications for Disaster Recovery

Companies subject to the GDPR are accountable for handling personal information appropriately, including implementing necessary technical and organizational measures and ensuring "the confidentiality, integrity, availability, and resilience of systems and services processing personal data." (Article 32).

In cases where processing of the data is outsourced, the company's vendors must also implement appropriate measures to guarantee GDPR compliance.

As it relates to DR, these obligations are therefore two-fold.  First, a company handling customer data, is required to have an adequate DR solution that will guarantee the availability and access to personal data in case of a disaster.  Second, if the DR solution is outsourced, that DR vendor is the company’s “data processor” and must also meet GDPR obligations.

Key Considerations for Ensuring Your Disaster Recovery Solution is GDPR Compliant

Six Considerations to Ensure Your Disaster Recovery Solution is GDPR Compliant.png

     1. Security

Your organization must have a comprehensive suite of security controls and be able to demonstrate processes around the security, availability, recovery and testing of the IT systems you have implemented around disaster recovery. These systems should be up to industry standard requirements and ensure timely and successful recovery of data without risk of exposing a customer’s data to outside forces or in any way breach confidentiality.

      2. Testing

Testing of the disaster recovery solutions recoverability, integrity, backups and security¾ should be completed on a regular basis and be properly documented to verify that your protocols are in line with compliance. This is one of the most important areas to focus on in terms of compliance.

      3. Backup

Ensure that data is backed up frequently enough to both maintain GDPR compliance and ensure that customers can access, change, or erase their data. 

      4. ISO27001

ISO27001 Certification is also a valuable tool to ensure alignment with GDPR regulations. ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes. Many of the ISO27001 policies tie-in directly with the GDPR policies that concern processes around disaster recovery. If your company is ISO27001 compliant, but your disaster recovery provider is not, then your ISO27001 certification may be invalid.

      5. Recovery Timeline

In addition to checking your disaster recovery provider’s certification status, you also need to know their estimated times for achieving full service in case of disaster, and how much data could be lost in the process. While you likely are already familiar with their stated rrecovery time objectives (RTOs) and recovery point objectives (RPOs), there should also be fail-safes in place in the event these objectives can’t be met.

      6. Breach Process

Ensure that you and your DR vendor have data breach processes in place. Develop a security incident response plan which sets out the actions to take in the event of an incident, including identification, containment, eradication, recovery and follow-up.

As a data controller, you are required to report a breach within 72 hours after discovery.  What process does your DR vendor have in place to notify you of the breaches?

OVHcloud is Committed to GDPR Compliance

Combined with Zerto’s Continuous Data Protection (CDP), the OVHcloud DR solution allows applications to  be recovered with near-zero data loss, whether the cause of failure is a system failure or intentional attack. Additionally, data and Application access and sovereignty can be protected with VMware NSX®, which can also provide encryption. We also have multiple levels of monitoring and alerting across all of our services, in addition to being able to ship logs to customer implemented systems.

With Hosted Private cloud, OVHcloud customers can test and refine the disaster runbook for their organization as often as they like for no additional cost. And combining RPOs of seconds and RTOs of minutes, OVHcloud can help you make sure you have backups for your backups so you can achieve true IT resiliency.

Learn more about the GDPR or explore the OVHcloud Disaster Recovery as a Service (DRaaS) solution.