How to be compliant with GDPR Article 32
Google GDPR and you will see 21.4million results! As you know, the deadline looms in a matter of weeks and organisations of all shapes and sizes need to become compliant with this new data protection regulation.
GDPR Article 32
The GDPR is made up of 99 different Articles. Article 32 covers Security of Personal Data and explicitly recommends all organisations adopt data protection controls and the ability for data to be restored “in a timely manner.”
Whilst the Article doesn’t specifically name the solutions, it does request the adoption of a solution to guarantee the protection of personal data against both physical and technical incidents (for example ransomware attacks).
It’s also clear within GDPR Article 32 that both data and back-up should be encrypted and the restore and recovery processes regularly tested. The solutions should also provide clear terms with regards to Recovery Point Objective (RPO) and Recover Time Objective (RTO).
The obvious interpretation of this in terms of actual named solutions is back-up and disaster recovery. Deploying these in an “as a Service” format means that your trusted service provider manages this for you. It means that BaaS and DRaaS are designed, tested and managed by your IT partner.
Backup vs Disaster Recovery, decision making
In terms of Back-up, you decide how many copies are needed and their location (there should always be one offline copy).
For Disaster Recovery, you decide how long your business can function without key data and applications and a customised solution is architected based on that decision. The cloud or a second physical location are used to act as the target site for replication and recovery of your company’s critical data and applications based on a real-time recovery point.
GDPR Article 32 compliance
In conclusion, to be GDPR Article 32 compliant, you need to deploy backup and disaster recovery solutions, ensuring that data can be restored in a timely manner in the event of a cyber-security attack or other business continuity disruption such as employee error or power outage.