GDPR One Year Later with Commentary from Druva

GDPR One Year Later with Commentary from DruvaThe one year anniversary of GDPR is steadily approaching. Before May 25th, 2018, businesses were scrambling to become compliant with the new regulations in order to avoid the steep fines they could potentially incur if they weren’t careful. Executives from Druva provided Solutions Review with their commentary on where we stand, as well as how to continue complying with GDPR one year after it was implemented. To provide more context, let’s look at what some of the regulations of GDPR were, before getting into the commentary from Druva executives.

Backup and Recovery are Critical Under GDPR

In article 32, the GDPR act mandates a) the ability to restore the availability and access to personal data in a timely manner and b) a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures. That being said, it’s evident that organizations needed to have the necessary backup and disaster recovery strategies in place and test those backup solutions regularly and thoroughly.

Third Party GDPR Compliance Regulations

Many organizations choose to outsource their backup solutions. While this is possible, it’s only a small step in achieving full GDPR compliance. Because this outsourced solution provider will be managing your data, they fall under the term, “data processor”, which in turn means they will be responsible to comply with GDPR as well.

Testing and Regular Backups

It’s absolutely critical that your backup provider tests the effectiveness of their solution on a regular basis. Before signing an agreement with a backup solution, you should consider making sure that the provider holds some Cyber Essentials Security accreditation. If backups are not already automated, it may be a good idea to increase the frequency to keep in line with your live data. Because GDPR requires that organizations have access to the most current data, frequent and regular backups are incredibly important.

Compliance Requires Awareness of the Entire Organization

If your company plans on being 100% compliant with GDPR, it can’t just be a concern for your IT and legal departments. Educating your staff should come as one of your first steps in achieving full GDPR compliance. The Information Commissioner recommends that organizations consider building a data compliance team to ensure that your organization remains compliant.

With all of that taken into account, it’s clear that a thorough backup and disaster recovery (BUDR) solution is crucial in the age of GDPR. It’s important to learn how BUDR providers have responded to this regulation, as it speaks to the amount of assistance they can provide. Below, executives from cloud data protection provider, Druva, shared their thoughts on the current state of GDPR how to best maintain compliance one year out.

“One of the most controversial aspects of the GDPR is an individual’s right to ask that their personal information be deleted if a company has no valid business reason to keep it. But it does not appear any companies have been fined as a result of an inability to comply with such a request. When it does happen though, the commission’s history of fines in other areas suggests the severity will depend on how the company attempted to comply with the request. Did it completely ignore the idea of the right to be forgotten, or is it simply unable to comply due to limitations of the technology being used? We still don’t know how the commission is going to handle such a situation, and only time will tell what it’s going to do in this scenario.

“In order to secure something, you have to be able to see it. This visibility comes from knowing where that asset lives, as well as all the authorized and unauthorized copies of that asset data. As more line-of-business applications move into the cloud — and more users access their cloud apps from their phones or tablets as well as endpoint PCs — the spread of data represents a bigger risk. For long-term compliance with GDPR, it is essential for a business to be able to successfully track such data as it spreads so that the data can be protected and adequate records of where customer data is stored can be compiled. Cloud-based services can help an organization build these records and automatically keep them up to date, whereas internal platforms cannot.”W. Curtis Preston, Chief Technologist, Druva

“GDPR has been an incredibly interesting case study in that everyone thought it would bring modern business to a halt. The EU DPA has focused on raising awareness this year versus handing down harsh fines and businesses are learning how to navigate this new world of increased regulation. Conversely, in light of continuing data breaches and questionable data privacy, other governments are using GDPR as a blueprint for their own set of laws. The California Consumer Privacy Act will go into effect in January 2020, Brazil’s LGPD goes live in August 2020, and the Indian Parliament will be taking up a personal data protection bill this June. It was a watershed event and I think will continue to shape how companies address their data protection and management for years to come.”Prem Ananthakrishnan, VP of Products, Druva

“One of the biggest challenges any global organization faces today is complying with international security and privacy regulations like the GDPR. There’s no doubt there are more such regulations to come, with California and India leading the way, and these all mean company obligations have the potential to become even further complicated. These new age data privacy laws have far-reaching implications and require improved security across the board; security and IT teams have to be confident they have fully captured risks to the organization and know where company data is being processed, how it is being used, and how it is being protected. And in turn, vendors like ourselves must ensure authorized users can easily access data, and have the flexibility and scalability to store data within specific regions for local compliance.” Tom Conklin, CISO, Druva

Just because GDPR has been in effect for a year, doesn’t mean your organization should let up on maintaining compliance. Your organization needs to be aware of the rules and regulations, and how strictly they are enforced, in order to be compliant, as GDPR fines are still in effect for organizations that don’t comply. Consider the commentary from Druva on the upcoming GDPR anniversary, and think about reevaluating your data protection policy in order to stay updated and remain compliant.

Tess Hanna
Follow Tess