Is DRaaS/Disaster Recovery-as-a-Service GDPR complaint? | SYNEXTRA

Chris Piggott

Is DRaaS GDPR compliant?

GDPR is the biggest test facing C-level and IT management this year. Is DRaaS a viable solution to help address many of the challenges they face in the months to come?

Intro

GDPR (and data confidentiality in general) is the topic of 2018 and for good reason. Whilst many businesses have been ‘getting by’ doing the bare minimum, the European Union has now updated the legislation that businesses must adhere to when acquiring, storing and processing the data of EU citizens.

The EU’s General Data Protection Regulation 2016/679 (GDPR) has been introduced to set and maintain a common standard of information security across the entirety of the EU. However, GDPR also applies to businesses globally that handle data regarding EU citizens. The update brings the law more in line with the way businesses are using data today.

Summary

GDPR (Article 32) specifies the legal requirement for organisations to ensure all data and infrastructure is resilient and protected from both internal and external threats, such as technical failures, human errors, and malicious attacks, whilst also being able to regularly prove the effectiveness of the security measures they have put in place.

Zerto DRaaS combines continuous data protection (CDP), replication, long-term retention and analytics, to give enterprises a simple yet effective method of protecting the data they hold, and proving that effectiveness, without disrupting primary services.

This solution enables businesses to “demonstrate proof of compliance” (Articles 24, 28, 30, and 32) whilst offering “data protection by design and default” (Article 25) with a proven “state of the art” solution (articles 25 and 32).

Although businesses can’t just buy a solution to their GDPR challenges, DRaaS goes a long way to helping enterprises overcome compliance issues.

The myths of GDPR

Let’s address a couple of myths surrounding GDPR, before looking at solutions to these new regulations.

Firstly, the deadline isn’t the deadline per say. The EU and ICO won’t be knocking on the door of businesses after May 25th, handing out fines. However, any data breach after the deadline could result in audits and large fines if you don’t meet GDPR guidelines.

Secondly, there is no GDPR-ready solution. The new regulations are more far-reaching and complex than an off-the-shelf product can offer. You need to review business practices, security procedures and more. You then need to ensure the new regulations are upheld by every employee, supplier and partner you deal with.

However, there are solutions to replace unnecessarily complicated procedures and simplify some of the changes needed to comply with the new rules.

Solutions such as Disaster-Recovery-as-a-Service or DRaaS for short.

3 of the major GDPR requirements

Disaster Recovery, GDPR

GDPR is designed to protect the rights and freedoms of EU citizens (and citizens officially residing in the European Union). It governs how personal data is lawfully collected, shared and protected when stored, and how it is used moving forward.

When it comes to applying GDPR to business IT processes, there are three key areas that will concern most business owners and IT managers alike: Demonstrable proof of compliance, data protection by design & default, and the “state-of-the-art”.

Demonstrable Proof of Compliance (Articles 24, 28, 30, and 32)

Organisations must have the ability to test their security measures and how effective they are. They must also provide documented proof of compliance on a regular basis.

Data Protection by Design & by Default (Article 25)

Any organisation impacted by GDPR must take a proactive approach to data and infrastructure security. They must ensure that protective measures are built by design into the systems and services that process data – rather than being added in or ‘bolted on’ at a later date when necessary.

The “State-of-the-Art” (Articles 25 and 32)

Organisations must do due diligence when implementing any new measures to protect and secure any systems or services under their control, giving consideration to the “state of the art”.

‘These three key areas outline the core principles of GDPR and how businesses should approach compliance with IT. Firstly, data protection by design. Secondly, supplying proof that the solutions you have implemented work as intended. And finally, replacing outdated technology and methodologies—with an eye on state of the art—from the beginning of any current and future IT projects.’
Chris Piggott, Technical Director, Synextra

How Zerto DR complies with Article 32 – Security of processing

GDPR will take effect on 25th May 2018. Although the EU has not provided a clear overview of the 99 articles contained within, companies such as PrivazyPlan have created resources to help businesses understand and act upon the new legislation.

Article 32 reads as follows, as presented by PrivazyPlan:

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia (among other things) as appropriate:

(a) the pseudonymisation and encryption of personal data;

Zerto’s technology-agnostic approach gives transparency to any storage platform, network or guest-based encryption method available. This allows an organisation to choose the right solution, whilst still giving consideration to the “state-of-the-art”.

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

Zerto-powered solutions use Continuous Data Protection (CDP) to keep the write-order fidelity of applications running across multiple Virtual Machines (VMs), ensuring near-zero data loss. With increasing threats and a continually changing industry, DRaaS maximises uptime for organisations by ensuring the availability and resilience of processing systems.

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

By designing a DR solution for live replication and automation, Zerto-powered solutions can recover even complex, multi-VM application stacks in minutes; as opposed to hours or even days with manual recovery processes, such as Cloud Backup. An organisation can rewind and recover data from before any physical or technical incidents because the data is replicated off-site. Even complex events such as ransomware attacks can be recovered from in 4 simple steps.

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

By isolating the failover testing environment within its own network, a Zerto-powered solution can provide fully-automated and non-disruptive tests, as well as detailed reporting, giving organisations clear and simple proof of compliance for auditing and inspections. Tests happen without impacting on protection or disrupting users.

DRaaS, GDPR compliancy

However, Zerto DRaaS helps businesses to meet the key GDPR criteria; ‘demonstrable proof of compliance’, ’data protection by design and default’ and ‘the “state of the art’. How? By offering live replication that is time efficient and does not disrupt business workflows.

This goes a long way to helping organisations update their business practices to bring them in line with the new data protection regulations.

Conclusion

GDPR updates the EU’s pre-existing data protection legislation, to bring it up to date with the way businesses now collect, process and store data of EU citizens.

There are now larger fines in place to enforce these regulations. A data breach under GDPR rules means fines levied against businesses in breach of regulations can go all the way to ~£17.5million or 4% of the businesses yearly revenue, whichever is greater.

Unfortunately, there is no ‘silver bullet’ or quick fix to solve an organisation’s GDPR problems. A single solution cannot be a blanket solution to meet every new regulation.
Chris Piggott, Technical Director, Synextra

As of May 25th, 2018, the new EU General Data Protection Regulation (GDPR) is in effect. Sign up below to get more actionable GDPR information straight into your inbox.

KEEP UP TO DATE

With rapid growth, we are also expanding our UK footprint. Sign up for our newsletter to find out when we are opening a datacentre location near you, along with helpful guides and important company announcements.