6 Considerations for Ensuring Your Disaster Recovery Solution is GDPR Compliant

By Ashley Neely

The General Data Protection Regulation (GDPR), which became effective on May 25, 2018, is an overhaul of Europe's data protection rules. It was passed in an attempt to keep up with the creation of huge amounts of personal data and altered how businesses handle the information of their customers.

The GDPR has two primary goals:

1. Provide citizens and residents with control over their personal data
2. Harmonize the regulatory environment for international business by unifying the regulation within the EU, so that any business that holds the personal data of EU citizens is accountable under the GDPR. Because GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.

Companies and individuals found non-compliant are subject to fines of up to 20 million euros (approximately $23.5 million) or 4 percent of a company’s total worldwide annual turnover of the preceding financial year—whichever is higher.

Learn what your IT team needs to know about ensuring GDPR compliance for your disaster recovery (DR) solution below.

GDPR Implications for Disaster Recovery

Companies subject to the GDPR are accountable for handling personal information appropriately, including implementing necessary technical and organizational measures and ensuring "the confidentiality, integrity, availability, and resilience of systems and services processing personal data." (Article 32).

In cases where the processing of the data is outsourced, the company's vendors must also implement appropriate measures to guarantee GDPR compliance.

As it relates to DR, these obligations are therefore two-fold. First, a company handling customer data is required to have an adequate DR solution that will guarantee the availability and access to personal data in case of a disaster.  Second, if the DR solution is outsourced, that DR vendor is the company’s “data processor” and must also meet GDPR obligations.

Key Considerations for Ensuring Your Disaster Recovery Solution is GDPR Compliant

     1. Security

Your organization must have a comprehensive suite of security controls and be able to demonstrate processes around the security, availability, recovery, and testing of the IT systems you have implemented around disaster recovery. These systems should be up to industry standard requirements and ensure timely and successful recovery of data without the risk of exposing a customer’s data to outside forces or in any way breaching confidentiality.

      2. Testing

Testing of the disaster recovery solution's recoverability, integrity, backups, and security should be completed on a regular basis and be properly documented to verify that your protocols are in line with compliance. This is one of the most important areas to focus on in terms of compliance.

      3. Backup

Ensure that data is backed up frequently enough to both maintain GDPR compliance and ensure that customers can access, change, or erase their data. 

      4. ISO27001

ISO27001 Certification is also a valuable tool to ensure alignment with GDPR regulations. ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization's information risk management processes. Many of the ISO27001 policies tie in directly with the GDPR policies that concern processes around disaster recovery. If your company is ISO27001 compliant, but your disaster recovery provider is not, then your ISO27001 certification may be invalid.

      5. Recovery Timeline

In addition to checking your disaster recovery provider’s certification status, you also need to know their estimated times for achieving full service in case of disaster, and how much data could be lost in the process. While you likely are already familiar with their stated recovery time objectives (RTOs) and recovery point objectives (RPOs), there should also be fail-safes in place in the event these objectives can’t be met.

      6. Breach Process

Ensure that you and your DR vendor have data breach processes in place. Develop a security incident response plan which sets out the actions to take in the event of an incident, including identification, containment, eradication, recovery, and follow-up.

As a data controller, you are required to report a breach within 72 hours after discovery.  What process does your DR vendor have in place to notify you of the breaches?

OVHcloud is Committed to GDPR Compliance

Combined with Zerto’s Continuous Data Protection (CDP), the OVHcloud DR solution allows applications to be recovered with near-zero data loss, whether the cause of failure is a system failure or an intentional attack. Additionally, data and Application access and sovereignty can be protected with VMware NSX®, which can also provide encryption. We also have multiple levels of monitoring and alerting across all of our services, in addition to being able to ship logs to customer-implemented systems.

With Hosted Private cloud, OVHcloud customers can test and refine the disaster runbook for their organization as often as they like for no additional cost. And combining RPOs of seconds and RTOs of minutes, OVHcloud can help you make sure you have backups for your backups so you can achieve true IT resiliency.

Learn more about the GDPR or explore the OVHcloud Disaster Recovery as a Service (DRaaS) solution.