{"id":7849,"date":"2019-02-12T06:02:29","date_gmt":"2019-02-11T20:02:29","guid":{"rendered":"https:\/\/nsrd.info\/blog\/?p=7849"},"modified":"2019-02-12T06:02:36","modified_gmt":"2019-02-11T20:02:36","slug":"gdpr-do-your-backups-spark-joy","status":"publish","type":"post","link":"https:\/\/nsrd.info\/blog\/2019\/02\/12\/gdpr-do-your-backups-spark-joy\/","title":{"rendered":"GDPR: Do your backups spark joy?"},"content":{"rendered":"\n

itnews Australia is reporting on a DLA Piper analysis of GDPR operations within Europe since it came into law in May 2018.<\/p>\n\n\n\n

GDPR \u2013\u00a0the General Data Protection Regulation \u2013\u00a0is a fairly broad ranging set of laws aimed at ensuring Europeans have a right to understand what data businesses are holding on them, and request their data be erased, too. It’s easily the most far-ranging attempt to hand the right to data privacy back to individuals. GDPR is no laughing matter: breaching it can lead to fines up to 10 million Euros, or 2% of a company’s annual worldwide turnover, whichever\u00a0is\u00a0larger<\/em>. Clearly those large fines are aimed at multinationals, and saw companies like Facebook, who profoundly lack substantive ethics when it comes to customer data privacy, frantically rearranging where and how data was stored for European citizens prior to the introduction of the law.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

According to itnews, there were over 59,000 breach reports<\/strong><\/a>, ranging from innocuous issues such as mistakenly sending email to the wrong people through to significant hacks impacting very large numbers. You can find the original DLA Piper report that itnews Australia has covered here<\/a><\/strong>.<\/p>\n\n\n\n

Despite the large number of breach reports, there had only been 91 GDPR fines issued at the time the analysis was written, with most fines being tens of thousands of Euros. The largest fine of 50 million Euros was handed to Google France, though the report notes this wasn’t a personal data breach fine, but rather, where personal data was processed without authorisation for advertising purposes.<\/p>\n\n\n\n

But what’s all this got to do with Data Protection as a storage function?<\/p>\n\n\n\n

Data protection systems \u2013\u00a0backup and recovery systems in particular \u2013\u00a0within a business environment may hold many years worth of data relating to individuals the company has dealt with. So if a customer exercises his or her right to be forgotten, the backup team may very well need to get involved<\/em>.<\/p>\n\n\n\n

It’s something that Dell EMC has been talking about for a while (e.g., this post<\/a> from June 2018, and this dedicated site<\/a>), and has seen tightly fitting options provided by companies such as Index Engines<\/strong><\/a>. As you might imagine, one of the first exercises you need to consider is getting long term retention data off tape<\/a>, which impedes the various analysis functions you need to be considering if you’re affected by GDPR. <\/p>\n\n\n\n

Analysis is more than just text indexing, of course. It’s also a proper review of what truly needs to be retained. Look at the average retention policies you see in organisations: 13 monthlies for any production backup and 7 yearlies, or 84 monthlies retained for all production backups. Sometimes that even extends into non-production backups. But do all those backups truly contain information that needs to be retained? You might say that GDPR has the potential of fuelling the Marie\u00a0Kondo<\/a><\/em> moment of backup and recovery: grab the backup tapes, hold them close and ask yourself: do they spark joy?<\/em>\u00a0The old approach of just performing LTR backups for systems regardless of whether they’re truly needed or not could possibly be approaching its use-by date.<\/p>\n\n\n\n

It’s not an easy journey, as evidenced by the fact the GDPR compliance teams themselves are swamped, but putting the journey off isn’t going to make it an easier one in the future. Eventually, the GDPR compliance teams will get up to speed, both in terms of resourcing and technical capabilities, and at that point, you don’t want to be pointing at a mountain of unmanaged tapes when someone comes to you and says, “John Smith has filed a request-to-be-forgotten<\/em>“.<\/p>\n\n\n\n

To me, GDPR enables several discussions to be held between the business and IT:<\/p>\n\n\n\n