Are your Data Backups Compliant?
A regular Backup of data is an absolute ‘must‘ when operating in regulated services but did you know that performing you own data backup or use of a ‘Third Party’ to store your backed-up data could place you in breach of the DPA if the necessary encryption protocols are not applied? Backups that are kept on-site or managed by a third party source are required to be encrypted to protect against unauthorised access in the event of theft or loss.
The ICO’s ‘Cloud Computing Guidance’ states;
Encryption allows a cloud customer to ensure that the personal data they are responsible for can only be accessed by authorised parties who have the correct ‘key’. The cloud customer should also consider if it is appropriate to use encryption on data ‘at rest’, ie when stored within the cloud service. This will depend on the nature of the personal data and the type of processing being undertaken in the cloud. This will be an important consideration when sensitive personal data is being processed.
An organisation performs weekly manual back-ups. These are stored on external drives. The drives are stored in a locked cabinet when not in use.
Moving to a cloud-based backup solution has a number of benefits including:
- automating the process;
- the ability to run nightly back-ups;
- storing back-ups off-site; and
- reduced risk of theft.
The organisation opts for a cloud-based backup solution which encrypts files before transmitting them over a secure connection to the cloud provider. The key is kept in the secure possession of the cloud customer.
The cloud provider is therefore unable to view or otherwise further process the data other than to maintain access to, and availability of, the data.
The organisation may test the back-up service regularly by attempting to restore files held in the cloud.
Contact us if you would like more advice on Data Protection Backup compliance or take our 60 second DPA compliance check to see if your business is at risk for non-compliance.