In our last blog post we dissected the requirement for Backup as a Service and how it should now be looked at as Restore as a Service if you value your data. In that blog article, we mentioned the GDPR, or the General Data Protection Regulation - the EU wide regulation designed to let the law catch up with fast developing IT systems, data collection and sharing. It’s a topic that has had the compliance industry alight for some time now and I’m sure you have had a few calls from concerned sales reps desperate to save you from mammoth fines.
In this article, we want to look at the GDPR in a specific light – and one you might not have considered before – Backup, Recovery and how to forget people.
That sounds like an oxymoron, we keep data to remember people, their relationship to our business and spent a fortune on CRM systems and integrated business platforms to ensure that the guy who bought a new radiator valve gets the email to let him know there are more in stock, with a price reduction, and they are on our website for £5 (plus post and packing obviously).
While it’s true that the growth of that data you have adds flexibility and a finesse to the sales process, it also brings complex challenges across a business in terms of accuracy, security, care of the data held and its proper protection. Even though we already have laws covering data protection mistakes do happen, worse still, some people choose to ignore them and fail in the duty of care they should exercise. In the last couple of years some high-profile people (Yahoo! and Talk Talk for example) found failing to address the myriad security and protection issues can be expensive in terms of remediation, fines and probably the most costly, customer confidence. It seems the cost of noncompliance wasn’t high enough and that’s one thing about to change.
So, we have data and laws to protect it. What then is the GDPR and how does it affect you?
Well the last thing we want to do is to pretend we are experts in the GDPR and its application and if you have concerns we’d always recommend a qualified consultant, but that doesn’t mean we don’t have something useful to add to the debate. In fact, we are a quiet voice in the background regularly talking to people about how they might want to look very seriously at one aspect of their IT systems before the fines start getting applied from the 25th May 2018 when it becomes what is known as a binding statutory instrument.
There are far reaching changes in the GDPR, among them demands that data is kept only for as long as it is required and any data kept must be kept in accordance with the GDPR. Currently, all member countries have their own laws and regulations and the GDPR is intended to harmonise those into a single version. It isn’t going away, if you are resident in an EU member state, hold data on EU residents or want to do business in the EU then you must comply with it and Brexit doesn’t change anything, the UK is adopting GDPR before we leave. If you are a small company there are slightly less onerous requirements, but, we would recommend getting the view of a good compliance expert in to review this, don’t worry it isn’t a scary as you might think and, unless your IT Security came with the building and hasn’t been changed since, you will find compliance isn’t too onerous and in fact adds a good deal of confidence to your strategy. Never mind that we are leaving the EU, the UK has been a major player in getting this legislation in place and it has already been confirmed that we will continue to adopt it once we split from the EU. If we are to trade with the EU, we need to anyway.
Regular readers will know there is one area we are expert in and that is the Disaster Recovery/Business Continuity (DR/BC) safeguards a business should operate. For those who are late to this blog series (quick, come in, there are some seats over there on the left) ‘Disaster Recovery and Business Continuity’ are terms used to evaluate and put in place a strategy to ensure your business doesn’t fail if something bad happens such as fire, flood, theft, hurricanes, Godzilla turning up when he’s least expected or plain old human error, yes – people still make mistakes, even in the cloud, and can delete everything in a trice, in fact ‘people’ are responsible for the most invocations of a DR policy. I must admit I’m not a fan of the term ‘Disaster Recovery’ as it implies it is a precaution taken for just that event, a disaster. A disaster is a once in a lifetime event for most business’s (hopefully it’ll never happen) and as it looks to have a catastrophic business impact and be so rare, many people don’t do anything about it apart from taking backups. Catastrophic things bring connotations. There’s the ‘if it happens we’re dead in the water anyway’ so let’s just carry on and see what tomorrow brings camp, or the Ostrich approach as it is known. Then there’s the accountants view that it simply ties up too much capital and chances are it’ll never be used.
Just so we are all on the same page, FCS provides a managed service where we take a copy of your data, de duplicate, encrypt and compress it (all on your site) then send it to our secure data centres for safe keeping on our mirrored disk based storage platforms as often as every 15 minutes (or in real time if needed). Just in case. Mostly, it’s ransomware encrypting critical servers but we still see RAID arrays fail, power supplies still blow up and the cleaner will still unplug a UPS to make sure the vacuum will reach right to the end of the room. A quick word on encryption while we are at it, the GDPR doesn’t mandate encryption – despite what some encryption vendors will tell you – but it suggests encryption as an option and a good idea. We encrypt your data at the point of collection on your site, maintain that encryption in flight and store it encrypted ‘at rest’ in our data centres. We don’t have the keys, you do, so we can’t see the data unless you give us them and ask us to do something.
You still need to adopt a secure posture, that means firewalls (I’ll reiterate from a previous post, preferably a ‘next generation’ device or devices, AV, IPS, log monitoring, regular penetration testing and even social engineering training or a physical penetration testing should all be considered ‘the norm rather than the exception’. ISO27001 is a good starting point, even if you don’t formally adopt it you’ll get some good advice and a plan to better your security.
One of the major new parts of the GDPR is the ‘right to be forgotten’ and that you must respond quickly (most responses under the GDPR must be completed within 1 month, however, exceptions exist to add an additional two months) if someone asks that they be forgotten. Yes, on the off chance you don’t want to be contacted anymore by PPI firms or those thoughtfully concerned chaps worried that you might not be getting the right legal services following the crash that must have been so bad you’d forgotten you’d had it, you can demand that they remove all traces of you from their systems. And they can’t say no, withdrawing consent is a major new aspect to data protection introduced with the GDPR, and fines are set to rise massively if they don’t comply.
Additionally, most companies holding data that is more than 3 years old should regard it as stale. Couple this with estimates that companies only rely on around 15-20% of the data they hold and the rest is ROT (Redundant, Obsolete or Trivial – one of the few IT acronyms that fits) then you can see just how big a problem losing some of this data might be to your company.
Under the GDPR someone can ask what data you hold and they have a legal right to demand you tell them, or face a fine. Here’s where the GDPR gets nasty. For trivial breaches you are looking at €10M or 2% of your annual turnover. Ignore often enough or get hacked and have your data stolen – like Talk Talk did – and you are looking at €20M or 4% of revenues.
But the right to be forgotten and breach notification are good, positive, things and surely not really an issue for me to worry about?
Well, yes, it is a good thing but It might be a problem. Here’s why it should concern you…
You will already have a backup and it will be tested and you are convinced it will work when the lights go out. It probably will.
If you are, for example, a construction company, you might contractually need to archive data relating to a hospital build or a new housing development for 25 years or more, including all the correspondence and supporting emails, reports, quotes, enquiries etc. that went with it, so you don’t have a choice, and under the GDPR that’s fine.
But, data relating to individuals who bought the model 3 whateveritis that you want to market the new version 4 to is a different matter. Individuals need to opt in to this kind of marketing now, none of it can be assumed. They can, and I suspect will, demand that you erase them under the ‘right to be forgotten’ clause. And, just like the PPI and ambulance chasing solicitors you must comply.
Let’s say you follow the 3-2-1 rule that we recommend and the offsite copy is tape (as 49% of UK business still uses), let’s also say that a customer demands to be forgotten and you need to remove them from the database, CRM, accounts system. Easy eh? Apart from the old archived copies on tape. Which still count as ‘stored data’.
It’s not possible to delete a record from a database on a tape. Or even a single file as tape stores data in a blocks written sequentially, unlike disk it can’t be randomly accessed.
In fact, the entire tape has to be erased. But you still need the other data stored on there so formatting it or physically destroying it is no good.
Well you could restore the tape to a test system, pull the database into a copy of the live application, delete the records, then save the data back out to tape. That’ll do it. But how many tapes do you have? What is the application? How long does it take to restore an individual tape? Can you run it like this?
Oh, and as you trigger the backup there’s another right to be forgotten request. Every time the BBC puts a story on Newsnight reminding people they can be forgotten you can expect emails or calls.
But of course, you follow best practice and have multiple copies of the data across lots of tapes - just in case; we’ve all heard how tape can be a little finicky come restore time. So how long will it take you to guarantee to the business that the information they wanted to be erased has been erased?
And, how much would that cost?
If you add up the days taken to find the data and perform the task, double that because you then need to perform the tasks you would have done had you not been looking for file names on a tape catalog. Then there’s the time to restore, mess around finding the file or record, deleting it, then backing it up again, then validating that worked because this is your absolute last chance saloon copy. Then multiply that by the number of tapes you have.
That sounds painful, very time consuming and possibly might drive your IT guys to the point of madness. Think about that for every potential request for removal under the GDPR and you start to see the magnitude of the problem.
I suspect most people will simply take a tape archive of the current system state a few times and then format the rest of the tapes. On each data deletion event (and as you have a month to respond you can delete multiple records in one go) you will then make further multiple copies and format the other tapes. Ad Infinitum.
But it is still a lengthy process and we know tape can suffer serious fails unless rigorous attention to use and storage are adhered to.
So, you see that a call to FCS asking us to do a file deletion after the next backup (making sure you have a copy of the data minus the ‘to be forgotten’ elements and you see the path to sanity even has a bench to rest on. And a guy selling ice creams.
I guess the real takeaway from this is that our cloud based backup solution can be seen as a direct replacement for tape with all the bells and whistles you could want. Additionally, it also contributes to a strategy that will help protect you from ransomware, human error, server theft or failure and it is always off site. It gives you easy ‘tape without tape’. It gives you quite a few ticks to put in the auditor’s boxes and isn’t as pricey as you’d think.
Now you have some spare time to read the the GDPR document in full…