Inside Track: A gold standard
10 November 2016 | 0
|“If mission critical data needs to be recovered in one hour, make this clear and agree on a solution that will provide it”||
Datapac Karen O’Connor, general manager service delivery
|With GDPR set to come into force in just 18 months’ time, Irish organisations need to be fully aware of their responsibilities and take action now to become and remain fully compliant. One of the key requirements of GDPR is that businesses must have the ability to restore and produce data in a timely manner in the event of a physical or technical incident. The worrying news from an Irish perspective is that a significant amount of organisations are currently ill-prepared for such an occurrence.
A recent TechBeat survey commissioned by Datapac found that 26% of Irish businesses admit they never carry out disaster recovery tests to ensure their data back-ups are recoverable. Another startling finding reveals that Irish businesses expect to wait an average of 40 hours to recover mission critical data that has been lost. This is currently not acceptable and will become even less so with the introduction of GDPR. The penalties for non-compliance will be very severe with fines of up to €20 million or 4% of global annual turnover.
We recommend that companies perform a full disaster recovery test at regular intervals, in line with their business and regulatory objectives.
Knowledge is also crucial when it comes to backup and recovery. Businesses need to agree strict Recovery Time Objectives (RTOs) with providers so it is clear when data will be recovered. If mission critical data needs to be recovered in one hour, make this clear and agree on a solution that will provide it. This way, if something goes wrong and recovery is needed, you can confirm to stakeholders, customers and partners, that the information will be available by a specific time.
Datapac enables many of Ireland’s leading organisations to store, backup and manage data through tailored solutions which allow them to meet their business continuity and regulatory commitments. Our team of highly accredited and experienced technical architects design solutions which are a best fit for each customer’s unique set of needs.
|GDPR: the BCDR impact|
|“The definition of ‘personal data’ is broad and could change as consumers continue to expand their online presence”||
Sungard Availability Services Keith O’Leary, principle consultant
|Soon to be enacted across the European Union, the General Data Protection Regulation, better known as GDPR, has caused no end of concern among Ireland’s CIOs.Although it represents good news for consumers, from a business perspective, things aren’t quite so simple. While the regulation will be helpful in making it easier and more cost effective for cloud providers to offer pan-EU solutions, as well as making customers feel safer in entrusting valuable data to third-parties, GDPR is likely to have serious implications for Europe’s approach to disaster recovery (DR) and business continuity (BC).
For a start, there is a significant difference between the current DR directives and the rules set out by GDPR. Its introduction will necessitate a hefty cultural shift, not only in the management of technology but in the way people operate and the processes put in place.
The regulation will impact any business, whether based in the EU or not, that holds the personal data of EU citizens. Moreover, the definition of ‘personal data’ is broad and could change as consumers continue to expand their online presence. Ultimately, it means that not only must organisations intensify their data protection efforts, they must do so for a large volume of data. In turn, organisations will need to extend their BC/DR efforts to cover this greater remit.
And, as the pressure rises, so too do the stakes. GDPR is driven by two serious threats: reputational damage and monetary fines. Although you could argue that the former has always existed – with plenty of organisations having endured serious backlash from consumers following a data breach – the idea of financial penalties is new. Organisations who fail to properly protect customer data can be fined up to a maximum of €20m or four per cent of their total worldwide annual turnover, whichever is higher. A high price to pay for ennui or delay!
To manage these changes, it will be mandatory for businesses of over 250 employees to appoint a Data Protection Officer (DPO). From training staff on how to handle customer data through to keeping track of all data within the organisation, the DPO role will need to take a granular approach to the backup and archiving of critical data. Furthermore, to comply with GDPR rules such as ‘the right to be forgotten’, DPOs will be expected to know, with pinpoint accuracy, where any set of customer data is at any given time; an exceptionally difficult task when you consider that a lot of customer data doesn’t even make it onto the organisation’s central server.
As a DPO, it would be your job to root out this data, ensure it is adequately protected, suitably encrypted, and included in all BC/DR initiatives.
With less than 19 months before the rule is enforced, the clock is well and truly ticking. With today’s complex IT environments and cloud deployments, BC/DR processes are already challenging and the GDPR ruling means that complexity will only become more acute and the need to test all processes well in advance is a must. Organisations need to be certain that in the event of an issue, they will be able to remain complaint with the regulation – even when operating with diminished resources. Having everything in place is likely to require multiple invocation tests as well as serious investment – in time and planning not just funds. All in all, preparation is likely to take over a year – meaning there is little room for error when it comes to laying the groundwork for GDPR compliance.
Attaining GDPR will not be easy. It will not be quick. However, with the risk of such severe financial, operational – and likely reputational – penalties, it is an issue to which organisations must begin to direct their full attention. Today!
|Quick recovery and restoration|
|“In order to prepare, organisations need to conduct a full risk assessment of the threats that their information systems face”||
Ward Solutions Pat Larkin, CEO
|When GDPR comes into effect in 2018 it will aim to offer the same data protection rights across the EU, regardless of where data is processed. The legislation will replace the old 1995 Data Protection Directive and will require companies to take a number of steps to ensure compliance, or face fines of up to €20 million or 4% of annual global turnover, depending on which is greater.As well as the widely publicised requirement for organisations whose core business involves the processing of personal data to appoint a Data Protection Officer, the new legislation will also require companies to demonstrate their ability to quickly and efficiently recover and restore personal data in the event of a disaster. This will require the implementation of a pragmatic and standards-based disaster recovery plan to mitigate risk and ensure the protection of customer data.
In order to prepare for this, organisations need to conduct a full risk assessment of the threats that their information systems face. They then need to review their existing disaster recovery plan and its implementation to ensure that it is working as intended. In this age of growing cybersecurity threats companies need to take ownership of the data under their care. In a recent survey carried out by TechPro on behalf of Ward Solutions, almost one-fifth of organisations admitted that they don’t know where their data is located. To prepare for GDPR, companies need to make absolutely certain that they are aware of where data is being stored and conduct regular audits to ensure that their backups are working.
Part of taking ownership also involves ensuring that internal data protection policies and procedures are maintained and enforced on an ongoing basis. Attaining an industry-recognised information security management accreditation such as ISO27001 can be extremely helpful in ensuring that you implement the appropriate procedures and controls for the type of information that you are processing. Ward Solutions provides comprehensive ISO 27001 consultancy services to guide organisations through the complex accreditation process and help them to become compliant. In turn, this will help businesses to set themselves apart from their competition by exceeding the industry standard.