We touched on compliance, the right to be forgotten and backups in our predictions for 2020. However, we thought it would be a good idea to treat the topic in a bit more detail, especially now that the California Consumer Privacy Act (CCPA) has gone into effect as of January 1.
CCPA applies only to companies with more than $25 million in annual revenues, but GDPR has no such exemption. For the most part, small companies have the same compliance responsibilities as large companies under GDPR, though there are a few minor differences. Companies with less than 250 employees don’t have to retain processing activity records in some circumstances, and, generally speaking, enforcement bodies understand that smaller companies with fewer resources may have difficulty achieving complete compliance. By and large, however, GDPR applies to everyone, no matter what your size.
And that’s important, because the EU hasn’t been shy about levying fines — big fines — for failures to comply. Google was famously slapped with a $57 million fine last year, and last month a German Internet provider was charged more than $10 million.
So, what do GDPR and CCPA mean for backups? Let’s take a look at GDPR first.
GDPR and its implications for backup and disaster recovery
The first thing to know about GDPR and backup is that it requires “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” What does “timely manner” mean? French authorities define it as one month, which sounds like a lot of time. But if you’re taken down by a massive ransomware attack, it may take more than just a month to recover all your data — make sure you have a strong disaster recovery plan in place, and that you regularly test it to ensure it works.
You also need “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” Backups are often overlooked when it comes to security, but they’re a treasure trove of sensitive data. Encrypt your backups and make sure access is protected — if a ransomware attack can get to your backups, you may be really and truly hosed.
The biggest uncertainty in GDPR is the “right to be forgotten,” which means that individuals can request that your organization delete all personal information you have on them. The big question, of course, is whether this requirement applies to backups. If so, it’s practically impossible for anyone to comply. The first challenge is identifying where in every backup an individual’s information might be found. Even if you find a way to accomplish that feat, there’s no way to remove that data without destroying the integrity of the backup file, which is almost certainly heavily compressed, deduped and (if you’re following good security practice) encrypted.
Fortunately, those who ascribe to the above interpretation are in the minority. Most experts believe you don’t need to purge data from your backups when you get a request for deletion from an individual. However, you probably do need to have procedures in place to ensure that, whenever you recover data, any information that should have been deleted under GDPR is immediately trashed. It’s not an easy process to implement, but it’s certainly better than the alternative.
CCPA: Like GDPR, but a bit less clear
As for CCPA, it’s not as clearly written as GDPR, and, since it’s new, many of the outstanding questions haven’t yet been tested in the real world. Generally speaking, though, if your backup process is compliant with GDPR, you’re probably compliant with CCPA.
Like GDPR, individuals can inquire about the data you hold on them, so you’ll need to make sure your systems are available so you comply within a reasonable amount of time — this means you need fast and reliable backup. And people can request that their data be deleted, which means you’ll need to ensure that you don’t accidentally restore this “forbidden” data.
There are differences, however. With GDPR, for example, organizations don’t need to delete the data for deceased individuals, whereas CCPA doesn’t address that particular situation. CCPA also lacks clarity on the distinction between a “business” and a “third party,” which is important because each category has different responsibilities.
This year, I’m hoping the courts will clarify the areas of uncertainty regarding backups, GDPR and CCPA. But if you only take away two lessons from this post, remember that both GDPR and CCPA require that your data is available so you can respond to requests in a timely manner, and that you need processes in place so you don’t restore data that individuals have requested be deleted.
Want to learn more about how ODS can help your organization with data protection and DR? Watch our on-demand webinar today.