6. April 2018 - GDPR & IT security

GDPR: Requirements for backups


The General Data Protection Regulation (GDPR) requires a quick restoration of personal data after a physical or technical incident so that availability and access are ensured. At the same time, the principle of storage limitation applies. Read here how backup concepts may accommodate all these factors.

Auch unter der DSGVO darf die Datensicherung keine Lücken aufweisen Gaps in the process may cause significant deficiencies in the backup (Image: / cnythzl)

According to the IT Security 2017 report (German) by the internet business association eco, data protection and emergency planning are considered key topics in IT security.

Backups play a key role in both aspects. Without regular and complete backups, the requirement of the GDPR that personal data must be available and quickly restored after a data loss cannot be implemented.

Data backups remain difficult for many companies

According to a survey by Kroll Ontrack in 2017, companies and users often lose data even though they made a backup:

  • A quarter of the respondents stated that backups did not work properly.
  • Of the users who experienced data loss and were able to use a backup, 67 percent said that they were able to restore almost all their data. Another 13 percent said that up to three quarters of their data could be restored.
  • Twelve percent responded that their backup was corrupted.
  • Slightly under three percent were only able to restore small amounts of data.

A possible explanation why controllers experience data losses despite backups may be in the backup system: If not all of the end devices are integrated in the process, then data may be lost, according to the study.

Data backups and storage limitation

Even though you may have seen the question, “Do you perform backups regularly?”, on multiple occasions in your seminars on data protection: Backups must remain a central topic, or be brought back into the limelight. Backup processes may have considerable gaps.

In the event of a data loss, the availability of personal data may no longer be ensured, or restoration may be impossible.

For backups and availability, data protection officers could and should work together with IT security. Besides confidentiality and integrity, availability is one of the 3 classic protection goals in IT security.

However: Unlike IT security, data protection in compliance with the General Data Protection Regulation also needs to follow the principle of storage limitation.

This principle requires controllers to keep personal data in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed.

After the purpose has been fulfilled and all other legal requirements have been observed, the personal data must be deleted from the backup in due time.

This is why you should include storage limitation in your data protection instructions.

Investigating procedures for data protections

There are two data protection problems that occur with backups:

  • On one hand, the data that the controller is required to delete may still be in the backup.
  • On the other hand, backups often lack data that needs to be kept in order to satisfy the requirements of availability and restorability.

Incomplete or inaccurate specifications for the backup process may cause deficiencies in the backup:

  • Clarify which data from which sources must be included in the backup, without neglecting any mobile systems or cloud services that are being used.
  • It must also be defined which data and systems need to be backed up how often, using which method, and for what duration.
  • It must also be clear where the backups are kept and how they are protected.
  • The controller should create a specific policy for data backups.
  • The emergency manual also needs to cover rules for data backups.
  • Do not forget: The backup process itself must be secure. E.g., the data transfer to the backup server should be encrypted.

Do not neglect the backup solution during inspections

Even the best data backup guideline isn’t very useful if the backup solution cannot provide the desired level of performance.

This is why the backup tool must be inspected thoroughly. It is important in particular that

  • the backup solution can be automated and run in the background,
  • a user management and user rights system is available,
  • a tool creates a log of the backups,
  • the data to be backed up can be selected easily from a clear overview,
  • changes of the files selected for backup require confirmation (protection against unintended backup changes),
  • the tool supports the hardware, operating systems, and applications of all systems to be backed up, including mobile systems and the cloud,
  • notifications about backup problems, e.g. via e-mail or SMS, are in place, and
  • the backup service can be restarted automatically in the event of a problem.

Oliver Schonschek
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.