There are a number of obligations and principles in data protection law that, on the surface, appear to be very easy to comply with. However, when it comes to Disaster Recovery (DR) plans, you may inadvertently be in a risky position in terms of compliance with data protection regulation.

Removal of Data

On termination of a contract or, in some cases, when requested to do so, you would need to remove data belonging to a particular customer or client. Part of the principles of various data protection regulations are such that when a contract is terminated, all data (that is not required to be kept in order to comply with other laws) should be removed from your systems and your control. This is easy on the surface, removing access to services and deleting live data. The challenge comes in around “cold” data, that which is part of your backups and DR systems.

Backup Structures

Many of my clients are Software as a Service (SaaS) companies, where this problem is most prevalent, however this will comfortably apply to any company that backs up client and employee data. Part of the removal of data is that, technically, data within your backups need to be removed too. If your backups are structured in such a way that client data is backed up individually then this is an easy requirement to meet.

In most cases, though, your backups will be structured in such a way that everything is backed up in batches, and on top of that, it will be backed up in a differential manner. This means that the sets of backups you have are dependent on each other as only the differences are backed up each day. It becomes a very difficult exercise to clear this specific data out of a backup set without compromising the remaining data that you do still need to keep.

Reasonably Practicable Measures

Within most of the laws, you are not specifically instructed as to how you need to do things, but rather that you need to take an approach that is reasonably practicable. You need to be able to show that you have considered your compliance and you need to justify how you are intending to comply. If you can restructure your backups into individual clients, then that is first prize for ease of removal, but it isn’t always that easy.

In the cases of backups and DR where you cannot structure your backups into individual clients, you may wish to introduce a process where backups are reviewed at specific intervals in order to comply with removal requests. Something to consider doing is structuring your backup sets to regularly complete a full backup, which is a self-contained snapshot that the differential backups are based on. These full backups are not reliant on past backup sets – think of it as a “clean slate” that is not dependent on prior backups.

If these full sets are more frequent, you will have more windows in which to remove previous data sets containing data related to terminated contracts. In these cases, you will then need to specify in your contracts or in your privacy policy exactly how you intend on managing the complex process of data removal, and what your retention periods are while the process of removal is taking place.

Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.

Share This

Share this post with your friends!