News/Trends, Product, Tech/Engineering

Thoughts from Mr. Backup: What can you do to comply with GDPR?

May 24, 2019 W. Curtis Preston, Technical Evangelist

It’s been nearly one year since the Global Data Protection Regulations (GDPR) took effect on May 25, 2018. As much as it has been in the news, you might find yourself wondering: what can I do as a system administrator to help my company comply with GDPR? Before we answer that question, let’s do a quick review of what the GDPR is.

Privacy first

The main tenet of the GDPR is to give people privacy and control of their personal data in the digital age, primarily that the subject of the data gets to decide which companies can store their personal data and what data they can store. Before making such a decision, the subject should know why the company needs it, what their going to do with it, and have assurances it will be stored properly. Among other things, “properly” storing personal data means ensuring only those who need to see it will be able to see it, and that they will only be able to see it when needed.

Many feel the GDPR simply codified what many would consider to be industry best practices, and many of the regulations do indeed fall into the realm of system and database administration. There are five distinct ways that admins can help their companies comply with GDPR. Let’s take a look.

Appropriate access

Only those who need access to a given data set should be given it. For example, a doctor should have access to their patient’s medical records, but that does not mean all doctors should have access to all patients’ medical records. Of course, anyone without a medical reason to have access to a patient’s medical records should not have that access.

System and database administrators can help their companies be more compliant by reviewing who has access to different data types and establishing access policies to make sure only those who need access have it.

Account maintenance

Once you ensure that only the appropriate people have access to data, make sure you have a process for deactivating accounts when no longer needed. Human resources and those dealing with contractors should have a process for notifying the appropriate team when individual or group access should be revoked. In addition, there should be some sort of periodic review to make sure that no one has fallen through the cracks.

Separation of powers

The more powers a system or database administrator has, the greater the “blast radius” if they do something wrong. This is why it is a very good idea to use role-based administration to separate various powers. For example, one administrator might be able to configure new backups and run them, but not have the ability to delete old backup configurations or old backups. Perhaps the ability to do restores is limited to only a few people. The more you can separate powers, the safer your data will be overall, and the safer personal data will be.

Encryption is strongly encouraged

In addition to having a solid intrusion detection and prevention system, you should consider using encryption for data at rest in case the system is ever circumvented. If a bad actor ever gains access to the data they are not supposed to receive, encryption makes it a nonissue. It should be considered for all personal data.

Backups are not optional

Backups should not be optional anywhere in the data center, but when it comes to personal data and the GDPR, part of the regulation says that such data should be protected from erasure. The only way to properly do this is to make sure you have a good backup and recovery system.

What about the right to be forgotten?

Readers may have noticed I did not mention the right to access (to see your own personal data) and the right to erasure, usually referred to as the right to be forgotten. These topics have been the subject of much debate amongst those of us in the secondary storage world, and are complicated issues I want to cover in their own blogs.

A good start

There is a lot more to the GDPR than the things mentioned in this article, but it’s a good start. The first one – making sure that only those who need access have access – is probably the most important one, and the best practice that you’re most likely in violation of. Take a look at that first, then take a look at the others. That is, after you’ve made sure you have a good backup.

To get a handle on what GDPR is and ways to leverage the cloud to simplify security and maintain compliance, download The GDPR Compliance Guide for Business.