GDPR brings several major data management requirements for all basic solutions for businesses that deal with data of EU citizens, including businesses that do not operate in the European Union, but the process or store data of any person from the EU. In today’s article, we will focus on GDPR and data storage compliance.
Table of Contents
GDPR and Data Management
Being GDPR compliant means that you may have to revise your data management and data storage policies. Here is what you need to know.
Data should be located in the EU
Personal data that is associated with EU citizens should be processed and stored within EU borders. However, there are exclusions from that rule and further in the article, we will explain what you should do to remain your data in its current location.
You Should be able to Find, Recover, Change, and Delete Data Fast
You should be able to search, change or delete data on demand. The so-called “right to be forgotten” means that you should delete any personal data associated with a user as soon as possible by any request from the subject of personal data. You should also be ready to give the subject a full list of personal data that you process or store, as well as the legal basis for storing the data in the first place.
The ability to delete data will also help in case you, as a data controller, terminate a contract with a processor. In that case, all data should be removed from the cloud and the processor should provide sufficient proof that data is deleted. Note: If you do need more information on the differences between “data controller” and “data processor”, refer to our overview of GDPR terms.
GDPR makes it problematic, and maybe impossible, to store backups on tape. Anyone who has dealt with data backups on tape should know how hard would it be to find, change, delete or recover data of the given user on demand. We recommend you start moving your archives from tape to cloud archive storage (for example, Amazon Glacier, Google Cloud Coldline, Microsoft Azure Archive Storage).
The Note: The “Right to be Forgotten” can be postponed for as long as you have a legal right and consent to process or store personal data. In other words, if you have a legal agreement between you and a subject of personal data that you will store personal data for 5 years, and the subject demands to delete his/her personal data, you can perform the deletion after 5 years. These actions may need to be defended in front of legal authority and you should be able to prove your legal right to store and process the personal data.
Prevent any Data Breaches at All Costs
The key point of the upcoming GDPR compliance is data safety. GDPR does not state directly how you should protect data and the exact retention policies (unlike HIPAA, for example). Under GDPR, you should take all necessary precautions to prevent a possible breach and store data as long as it is legally compliant.
Basically, it means that you define the needed retention for different types of data in your contract with users and data processors.
You should pay attention to:
- Data encryption. By encrypting data, you make unauthorized access more difficult. However, keep in mind that even the name of files can be a matter of issue in a data breach. As an example, you encrypt the contents of a file, but the file name itself reveals personal information, like a name or account number. You might want to encrypt filenames as well, but you’ll still be required to find the data, delete and change it under “Right to be Forgotten”
- If a data breach has occurred, you should contact the authorities within 72 hours. You should also contact all subjects affected by the data breach. If all leaked files had their filenames encrypted and you are sure that no subjects are affected, you only need to contact the authorities.
Note: You should notify the affected subjects of a data breach where the data could potentially cause harm to the information security of the given subject.
GDPR Compliant Cloud Storages
Here is the list of GDPR compliant cloud storage providers.
- Amazon S3 / Amazon Drive
- Google Cloud Platform / Google Drive
- Microsoft Azure / Microsoft OneDrive
- Backblaze B2 Cloud Storage
- Wasabi Hot Storage
- Oracle Cloud
- and others
This list certainly doesn't include all GDPR compliant solutions, there are many more. But we have chosen the most well-known cloud storage services.
Backup Compliance with MSP360
MSP360 Backup has a number of features that can help your company achieve and maintain compliance.
Flexible Storage Location Control for Compliance
MSP360 Backup supports more than 30 cloud storage vendors; many that manage data centers in all regions around the globe, including the EU. Selecting one of these cloud storage vendors makes it easy to migrate EU data from cloud storage outside the EU to cloud storage within the EU. If you need to change storage vendors to one that helps you be GDPR compliant, CloudBerry Backup makes that easy as well.
Note: You do not necessarily need to re-upload all the data and move your storage location. If the user has given “explicit permission” to store and process data abroad, you are GDPR compliant. That “explicit permission” could be added to your terms of service agreement.
Encryption to Protect Data
MSP360 Backup supports a few different types of encryption:
- Encryption of the contents of files with customer-controlled encryption keys
- Server-side-encryption to encrypt the data at rest (if supported by the cloud storage vendor)
- Filename encryption for local and cloud storage (if supported by the cloud storage vendor)
- Secure, encrypted connections between MSP360 Backup and cloud storage
Using these options makes access to the underlying data nearly impossible in a data breach.
Search Data Inside Backups to Quickly Delete
Whenever the subject of personal data opts to exercise their “right to be forgotten” or demands all personal information that you store be deleted, you can use the search feature in MSP360 Backup to find files and folders that need to be targeted for deletion. Keep in mind, that to stay compliant you should always know where and how the personal data is stored. You should first perform an informational audit of all data processes that can fall under GDPR compliance.