The landmark date of 25th May 2018 will hold great significance, as a date etched on the footsteps to a digital future, GDPR swept in and replaced the aging Data Protection Act (DPA).
If you are an organization that have customers or partners who are based inside/ out of the EU or operating within EU’s border, then hopefully you would be well versed with the GDPR up till now. If not, then it’s high time to meet a series of new requirements to validate existing compliance with GDPR; by reporting any data breach incidents, and storing personal data within the physical precincts of the EU.
Prerequisites to Implement GDPR:
To achieve GDPR compliance in the field of data storage and data protection (backup), every service provider, institution and business that serves EU citizens should look for infrastructure and services solutions, that implement apt measures to meet the ensuing technical requirements.
- Capability to control data subject’s personal data storage location
Being an organization you might be responsible for storing personal data of many individuals, but with the GDPR in enforcement, you must be able to honor an individual’s wish of where the data needs to be stored on prim or a specific EU-based data centre.
- Data Encryption
Secondly, you are ought to provide strong encryption of any personal data located on your endpoints as well as in transit over your local- and wide-area networks and in the cloud. Ensure that the encryption process is entirely automated, with only the data subject as the sole holder of the decryption key.
- Find data on behalf of data subjects
Ensure that you are able to search backups at a granular level if demanded by the data subjects.
- Modify or delete data if needed
You must be equipped enough to copy, modify or delete personal data if requested by the data subjects.
- Data export in a communal format
Safe and Sound: Ensure that you export the personal data into a common and effortlessly usable format for instance ZIP archives.
- Speedy Data Recovery
Last but not least, during a security breach, system crash or operator error you should be able to recover the personal data from the backup in no time.
A multitude of organizations come under the scanner and jurisdiction of GDPR guidelines. One such type of organizations would include higher educational institutions. They collect personal data on staff and students, including, names, addresses, financial information etc. Thus such institutions should now focus on setting up an up-to-date data protection system and strategies into place.
Secure backup and recovery procedures are two key components of the EU-wide GDPR. If any of the schools or universities fail to protect their data, or lose any data then they will find themselves in trouble with GDPR enforcement.
GDPR Compliance Checklist for the Universities:
With respect to data:
-The institution must have the list of all types of information it holds, source of the information, whom they share this information with, what they do with it and how long they keep these details with them etc.
– List of places they keep this information and how it flows.
Has your university successfully completed its GDPR backup and is adhering to a secure storage compliance strategy? If no, then hurry up and take these key steps:
Start Mapping the Data
Universities need to map their information flows and data, in order to comply with the GDPR backup and data storage requirements.
Any application can be mapped to physical storage; it can be a LUN file system or an object store, but only with a more detailed and accurate application-to-storage mapping.
GDPR is designed to achieve data accountability, thus it places the data protection responsibility directly on the organizations that collect and store information on EU residents.
Universities can comply with GDPR backup and data protection when they provide accountability as to why, where and how they store valuable data.
Assessment of Current Data Protection Measures
Whether GDPR in effect or not, it’s important for any organization to ensure that they place strict rules to govern data access. Detailed audit logs will help to micro-analyze the possible data breaches, and take corrective and preventive actions. As per the GDPR guidelines, data breach response process is a key element, and an organization should be ready to report on breaches within 72 hours of its occurrence. Any organization being non-compliant with this regulation will be subjective to hefty fines.
Assessment of Current Search Capabilities
One of the cornerstone goals of GDPR backup and data protection is an individual’s “right to be forgotten.” It is essential to respect this right and mandatorily ensure that search, change, and delete-data-on-request capabilities are available and fully operational.
As an organization, it becomes imperative to provide EU-based customers and other users with a complete list of personal data that is processed or stored, as well as the legal agenda for storing the data. The backups of an individual should be deleted on-demand or request.
The Transition from Legacy Storage
If an organization is into generating and storing on tape backups, then GDPR provides a compelling benefit for moving to a cloud archive, since searching for specific data stored on tape, is difficult, tedious and time-consuming.
Hire a Data Protection Officer
Things will get a lot easier if you have someone to take responsibility for compliance with the GDPR and the best person for the same is a data protection officer (DPO). With the pertinent knowledge and authority, a DPO can oversee a smooth transition.
Institutions need to be utmost careful and must have complete control on the relevant data at any point of time, and be certain that they are able to securely access the data in the event of a cyber-incident or system failure. Unitrends backup and recovery solutions can help these universities to be GDPR compliant.
Go Ahead! Be Proud! Be GDPR Compliant! To learn more about Zmanda click here.
Also, be sure to check out: Rutgers Case Study: How the University Saved Tens of Thousands of Dollars