In 2022, there were almost half a billion ransomware attacks worldwide. This tsunami of ransomware has brought file backup and recovery into sharp relief to ensure cyber-resilience and protect data. But it is not just ransomware that has led to a need for robust data backup and recovery. Cyber-attacks and data protection have led to regulatory requirements that set the bar for best practice expectations around how a business backs up and recovers data.
Here is a mini guide to backup and recovery regulations in the UK and Europe.
Why backup data?
Data is at risk from various sources, including cyber-attacks, accidental data leaks, hardware failure, and natural disasters. When data is lost, leaked, unavailable, or stolen, the knock-on impact can be devastating. For example, in 2019, the Data Protection Commissioner fined Centric Healthcare after a ransomware attack, which affected the data of 70,000 people with 2,500 of those having their data deleted with no backup available. Unfortunately, Centric Healthcare was not so lucky, being fined €460,000 for their response to this incident.
Laws and regulations affecting backup and recovery
Several Key laws inform data backup and recovery decisions in Europe. The first is the GDPR. Another is a recent entrant to the regulatory landscape is the Digital operations resilience act (DORA). Yet another, are the various Freedom of Information laws across the world.
The EU GDPR Articles 17, 32, and 45-47 set clear obligations for data storage and retrieval:
- “The Right to Erasure,” which impacts the need to minimise storage of customer data.
- The “Right to Access” involves restoring and accessing personal data promptly.
- Provide secure backup using “the pseudonymisation and encryption of personal data.”
Digital operations resilience act (DORA)
DORA regulation relates to EU and Irish financial services and their ICT providers. Chapter 2, Article 12 of DORA sets out specific backup and recovery requirements for financial services and third-party providers. Requirements include:
- non-modifiable backups
- a logically (and physically) separate restoration environment
- a secondary processing site
- periodic testing of backup and restore procedures
Freedom of Information
Ensuring compliance with data protection regulations
Backup and recovery policy
Access control and authentication
Limit storage and minimise data
Data minimisation is a fundamental part of the GDPR principle of “privacy by design.” To comply, set limitations on data storage; do not keep it for any longer than is needed. Defined retention periods should be outlined in your backup and recovery policy.
Secure deletion and destruction
The GDPR requirement to ensure a subject’s “Right to Erasure” requires demonstrable use of secure deletion and data destruction by a backup system.
Fast search capability
Managed data protection is a critical aspect of being compliant with regulations that affect backup and recovery. Speak to SureSkills experts on adhering to regulations.