In 2022, there were almost half a billion ransomware attacks worldwide. This tsunami of ransomware has brought file backup and recovery into sharp relief to ensure cyber-resilience and protect data. But it is not just ransomware that has led to a need for robust data backup and recovery. Cyber-attacks and data protection have led to regulatory requirements that set the bar for best practice expectations around how a business backs up and recovers data.
Here is a mini guide to backup and recovery regulations in the UK and Europe.
Why backup data?
Data is at risk from various sources, including cyber-attacks, accidental data leaks, hardware failure, and natural disasters. When data is lost, leaked, unavailable, or stolen, the knock-on impact can be devastating. For example, in 2019, the Data Protection Commissioner fined Centric Healthcare after a ransomware attack, which affected the data of 70,000 people with 2,500 of those having their data deleted with no backup available. Unfortunately, Centric Healthcare was not so lucky, being fined €460,000 for their response to this incident.
Laws and regulations affecting backup and recovery
Several Key laws inform data backup and recovery decisions in Europe. The first is the GDPR. Another is a recent entrant to the regulatory landscape is the Digital operations resilience act (DORA). Yet another, are the various Freedom of Information laws across the world.
GDPR
The EU GDPR Articles 17, 32, and 45-47 set clear obligations for data storage and retrieval:
- “The Right to Erasure,” which impacts the need to minimise storage of customer data.
- The “Right to Access” involves restoring and accessing personal data promptly.
- Provide secure backup using “the pseudonymisation and encryption of personal data.”
Digital operations resilience act (DORA)
DORA regulation relates to EU and Irish financial services and their ICT providers. Chapter 2, Article 12 of DORA sets out specific backup and recovery requirements for financial services and third-party providers. Requirements include:
- non-modifiable backups
- a logically (and physically) separate restoration environment
- a secondary processing site
- periodic testing of backup and restore procedures
Freedom of Information
Freedom of information acts are found across over 70 countries across the world, including Europe. These acts typically allow the public the right to access information held by public authorities, the police, etc. Freedom of Information laws intersect regulations such as the GDPR regarding data protection. Notably, to adhere to a Freedom of Information request, an organization must be able to easily and quickly search stored data.
Ensuring compliance with data protection regulations
Many data protection and privacy laws intersect around data backup and recovery obligations. By following some best practices, you will be on the path to backup and recovery compliance:
Backup and recovery policy
A backup and recovery policy is part of your data protection, disaster recovery, and business continuity strategy. The policy will contain the finer points that map to compliance requirements and will inform technical decisions around backup and recovery.
Encryption
Backup systems must encrypt data at rest and in transit. Also, robust encryption key management must be used to ensure security. Following regulations, personal data should be stored encrypted to protect against unauthorised access or processing.
Access control and authentication
Robust authentication used alongside the principle of “least privilege” helps to prevent unauthorised data access. Robust authentication can take many forms but using multiple factors (MFA) is recommended for anyone with access to backup and recovery systems.
Limit storage and minimise data
Data minimisation is a fundamental part of the GDPR principle of “privacy by design.” To comply, set limitations on data storage; do not keep it for any longer than is needed. Defined retention periods should be outlined in your backup and recovery policy.
Secure deletion and destruction
The GDPR requirement to ensure a subject’s “Right to Erasure” requires demonstrable use of secure deletion and data destruction by a backup system.
Fast search capability
Backup and recovery software must have accurate and fast search capability to comply with the right to access information, including a data subject request under GDPR “Right to Access”.
Managed data protection is a critical aspect of being compliant with regulations that affect backup and recovery. Speak to SureSkills experts on adhering to regulations.
