The European General Data Protection Regulation (GDPR) was developed to protect personal data by placing citizens at the centre of a series of measures. These measures were designed to protect data both in its management and in its processing. The backup requirements specified in the regulation, defined in article 32, include the following:
- the pseudo-anonymisation and encryption of personal data
- the ability to ensure the confidentiality, integrity, availability and resilience of such data
- the ability to restore availability and access to data in the event of a contingency, and
- the regular verification, evaluation, and assessment processes of the effectiveness of such measures
These requirements mean that at first glance, there is nothing required that any modern backup solution, such as OpenText Data Protector, cannot guarantee.
So far, so simple. But the regulation also provides for the need to implement the "right to be forgotten," to give citizens greater protection and control over their personal data. This right gives the data subject the possibility to request that his or her personal data "disappear" or "leave no trace.”
The right to be forgotten implies organising personal information in a hierarchical way, so that each subject would have their data associated with them. The problem is that this model clashes head-on with the reality of IT departments, the organisation of corporate data, and the technical requirements of running business applications where personal data is spread across numerous systems and applications.
In an ideal world, data processors would organise backups in such a way that all data would be associated with individuals so that when under request, granular deletion of the individual’s data could be performed. But we are again facing a situation that is not technologically feasible.
Let's imagine that a customer wants to exercise his right to be forgotten, but part of his personal information is in certain rows of a database that has been backed up and includes logic controlled by an application like SAP. It is impossible for backup software to provide an answer to this situation. It would be necessary to restore the database, provide infrastructure to run the application, find and delete this information from SAP, and then back up the data again. Therefore, the regulator does not require the data to be deleted from the backup systems. It only requires that in the event of a contingency that requires backup recovery (such as a natural disaster or security breach) personal data can be recovered, but then the controller must take the necessary steps to ensure that the necessary information is deleted from the restored data.
When an individual requests that the right to be forgotten be enforced, the controller must inform the individual that his or her data must be retained longer in the backup systems, either because it’s technically impossible to delete it or because it is legally required to do so. For example, an invoice must be legally retained for 10 years.
The backup software must guarantee two things:
- that the information is stored using strong encryption methods
- that the backup or restore operations performed on the data are audited by means of secure logs
Both are accomplished natively with OpenText Data Protector.
Technical and Organisational Measures
With regard to Article 32 of the GDPR, which specifically lists the compliance points from the backup point of view, it states that taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as risks of varying likelihood, and severity to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the following capabilities, where appropriate.
Pseudo-anonymisation and Encryption of personal data
Our solution includes the necessary tools to encrypt tapes and their content. From Data Protector 10 onwards, the new security model uses encryption for communication between clients and the Cell Manager of a Data Protector cell. It uses the TLS 1.2 communication standard and digital certificates that are imported into the client and server, thus providing AES-256 encryption. This model makes it impossible for any malicious client to execute commands on the server.
From Data Protector version 2020.05 onwards, Data Protector provides compliance with "…the Common Criteria for Information Technology Security Evaluation" (known as Common Criteria or CC) which is an international standard (ISO/IEC 15408) for software security certifications, currently at version 3.1 revision 5. Data Protector is listed in the NIAP Product Compliant List.
Ensure the Continued Confidentiality, Integrity, Availability and Resilience
The recovery, integrity, and management of stored data is ensured by default with OpenText Data Protector.
The ability to restore availability and access to personal data quickly in the event of a physical or technical incident;
For this purpose, apart from the normal restore procedure, there are different techniques and additional components such as ZDB, ZDB+IR, Automatic Replication and Importing, Disaster Recovery, Granularity, Restore in Cache Mode for VMware environments, for data restoration.
A process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the security of the processing.
The answer to this point should not be provided by tools but with procedures. You must implement scheduled restoration tests that anticipate a possible problem, by going beyond knowing whether a backup has been performed successfully (information provided directly by OpenText Data Protector) and knowing what is needed to restore data effectively and in compliance with RPO and RTO requirements.
The OpenText Solution for GDPR Compliance
If your compliance is incomplete due to insufficient capabilities in your backup and archiving software, why run the risk of earning an expensive sanction? Our GDPR Solution consists of a portfolio of personal information management products that are tailored according to your needs.
Regulatory compliance requires the classification, organisation, and management of personal data in both structured and unstructured formats. The portfolio consists of:
- ControlPoint: for the identification and classification of unstructured personal data
- File Analysis Suite: for quickly find, protect, and secure your sensitive and high-value data with a SAS solution
- Structured Data Manager: for the identification and classification of structured personal data
- Content Manager: for the management of all personal data, including management of retention policies, security and access to data, auditing, and data search
OpenText licences are combined with a GDPR expert-service offering, that implements the three products in several phases. Typically, this implementation starts with one department, and in parallel, workshops are held to implement the solution in the rest of the company. It is also common to start with the data with the highest priority or risk.
No matter your data management needs, OpenText has a practice dedicated to helping ensure our customers stay within GDPR compliance.
Please visit OpenText Information Management & Governance Community for more info.