Backup Exec 20.3 - A small step towards GDPR compliance
Organizations typically have to deal with a number of data regulations as part of internal policies or externally enforced compliance requirements. These data protection rules define how businesses and public sector organizations should handle the information of their customers. With the European Union’s General Data Protection Regulation (GDPR) officially taking effect on May 25 2018, it has become all the more important for companies falling under the purview of GDPR to comply with such privacy regulations.
As GDPR privacy rules become clear, it is imperative that there will be an impact on backup, archive, and disaster recovery. One of the most impactful obligation will be to fulfil the “Right To Be Forgotten”, which means purging data, that includes backups and all copies.
Erasure requests of personal data on live production systems can typically be executed within a short period of time. However, erasure requests for personal data stored in backup archives cannot be executed immediately because data within the archive is typically monolithic in nature and specific data sometimes cannot easily be isolated and deleted without disturbing the integrity of the backup. Apart from this, archive data may also be bound by other retention policies or legal and compliance requirements that prevent deletion.
So until the time the data remains on the backup archives, it is imperative that Backup products or Data Controllers such as Veritas™ Backup Exec™ honour the following data protection principles for the data stored in backup archives:
- Backup archives containing personal data should be protected with strong encryption so that even if it falls into the wrong hands, it cannot be used.
- Backup Archives should have associated retention rules in place so that personal data in backup archives is retained for as short a time as necessary and should be automatically deleted when applicable.
- The personal data should not be restored to production systems except in certain rare instances such as, a security breach or a legal requirement.
- Records of all data erasure/blocking requests regarding personal data should be retained; as well as audit logs that record all activities on backup archives containing personal data.
Backup Exec honours principle #1 by ensuring that the data is protected using strong encryption of AES-256 for when data is at rest.
Backup Exec honours principle #2 using DLM which automatically deletes Backup Set information when the data retention obligations are fulfilled and makes the storage media available for future backups.
Backup Exec 20.3 has added support for honouring principles #3 and #4 by preventing blocked data from getting back to the production systems and simultaneously maintaining audit logs for such data subject blocking requests. Providing this feature to handle blocking requests of data stored in backup archives is a small step towards helping organizations meet their data privacy and security requirements effectively.
GDPR Guard
Backup Exec 20.3 has introduced the GDPR Guard feature that will now offer the ability to collect, protect, manage, and report data related to erase or block requests that align with data protection and privacy laws, such as GDPR for already backed up data.
The following are four key aspects that will be enforced by Backup Exec 20.3 which can help improve the organizations alignment to compliance requirements.
Data Collection
Backup Exec has enhanced the BEMCLI interface that allows customers to input their requests to block items. A standard CSV file format allows Backup Exec to easily accept blocking requests that may be generated from various sources. Blocking requests are then normalized before importing the information into Backup Exec.
Protection
Backup Exec also ensures that information pertaining to the blocking requests are well protected. The internal files maintaining the list of blocked items are encrypted using AES-256 and are also access controlled. There are checks in place to ensure that the internal files are not tampered and the integrity of the files cannot be compromised.
Management
Backup Exec ensures that the blocking requests are honoured under all workflows of the product. Blocked items can neither be viewed, searched for nor selected for restore operations. There is a provision for a specific account to override the guard and allow the restore in case of special circumstances.
Reporting
Backup Exec records all actions pertaining to the Data Regulation Requests. Backup Exec will also generate a report that can be useful to for compliance.
The GDPR Guard feature introduced in Backup Exec 20.3 allows you to move a step forward towards achieving GDPR compliance when dealing with personal data that has already been backed up. It does this in a simple and easy way allowing you to focus on other related tasks.
And finally, it represents our continued commitment to quickly bring incremental improvements to new features that we release based on feedback from our customers.
If you are not a current Backup Exec customer, we invite you to learn more about the solution at the following link: www.backupexec.com
Copyright © 2018 Veritas Technologies LLC.
All rights reserved.
This blog post is for informational purposes only. Any of this content should not be treated as legal advice.