- Datenschutz PRAXIS - https://www.datenschutz-praxis.de - DatenschutzPraxis

GDPR: Requirements for backups

The General Data Protection Regulation (GDPR) requires a quick restoration of personal data after a physical or technical incident so that availability and access are ensured. At the same time, the principle of storage limitation applies. Read here how backup concepts may accommodate all these factors.

According to the IT Security 2017 [1] report (German) by the internet business association eco, data protection and emergency planning [2] are considered key topics in IT security.

Backups play a key role in both aspects. Without regular and complete backups, the requirement of the GDPR that personal data [3] must be available and quickly restored after a data loss cannot be implemented.

Data backups remain difficult for many companies

According to a survey by Kroll Ontrack in 2017, companies and users often lose data even though they made a backup:

A possible explanation why controllers experience data losses despite backups may be in the backup system: If not all of the end devices are integrated in the process, then data may be lost, according to the study.

Data backups and storage limitation

Even though you may have seen the question, “Do you perform backups regularly?”, on multiple occasions in your seminars on data protection: Backups must remain a central topic, or be brought back into the limelight. Backup processes may have considerable gaps.

In the event of a data loss, the availability of personal data may no longer be ensured, or restoration may be impossible.

For backups and availability, data protection officers could and should work together with IT security. Besides confidentiality and integrity, availability is one of the 3 classic protection goals in IT security.

However: Unlike IT security, data protection in compliance with the General Data Protection Regulation also needs to follow the principle of storage limitation [4].

This principle requires controllers to keep personal data in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed.

After the purpose has been fulfilled and all other legal requirements have been observed, the personal data must be deleted from the backup in due time.

This is why you should include storage limitation in your data protection instructions.

Investigating procedures for data protections

There are two data protection problems that occur with backups:

Incomplete or inaccurate specifications for the backup process may cause deficiencies in the backup:

Do not neglect the backup solution during inspections

Even the best data backup guideline isn’t very useful if the backup solution cannot provide the desired level of performance.

This is why the backup tool must be inspected thoroughly. It is important in particular that

Oliver Schonschek
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.