Data security is being pushed to the top of the agenda by the new General Data Protection Regulation that comes into force next May, and that means a focus on issues that many organisations have neglected.
Companies across the globe that process data about European Union (EU) individuals will need to take much more stringent security measures to keep that data safe from prying eyes, whether those are criminals or employees.
One area of the GDPR that hasn’t got quite as much attention though is continued access to data. In fact, it seems that the regulation will create a disaster recovery obligation on organisations, so that if there are any attacks or unforeseen problems that bring a company off-line, they will need to get back up and running as fast as possible, or face a fine as well as the wrath of their customers.
Getting to grips with the GDPR
The GDPR is an EU-wide piece of legislation which will creates a revolutionary series of new rights for individuals and will force everyone to think differently about how individuals’ data is treated. Essentially, the principle is that everyone becomes the owner of their personal information. A Data Subject – any individual – has the right to much greater control over how their data is used by Data Controllers – people or companies who keep personal information such as sales records – and Data Processors, the people who use the data, such as call centres.
One of the responsibilities of both data controllers and data processors is to keep that data safe, and if there is a data breach, organisations can be fined up to 4% of their annual global turnover or €20 million.
“Security of processing” and the GDPR
For all the focus on individual rights and the possibilities of a breach, one area of the GDPR has been broadly overlooked – article 32, the security of processing.
This includes two provisions which, according to Giancarlo Butti, a security expert and author, mean that a disaster recovery plan is an essential part of every organisation’s set up:
“the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services”
“the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”
Previous EU regulations gave firms up to seven days to restore data – restoring access to personal data in a “timely manner” is likely to be interpreted more strictly. As Butti says: “Surely we are far from the concept of ‘seven days’.”