Forum Discussion

arjanvp's avatar
arjanvp
Level 3
9 years ago

Does GDPR Make Me Go Tapeless?

So, let me guess … your manager just asked you whether you can delete someone’s personal data from your backup copies if he or she were to ask you following a ‘right to be forgotten’ request, right?

Oh yes, and you are one of the 49% of organizations that are still using backup tapes as part of the backup and recovery strategy. Nothing wrong with that, but you'll quickly realize that in order to delete someone’s personal data, you first must find his or her data and that can prove an almost impossible task, especially when you are using backup tapes to store your backup copies.

You may very well have hundreds if not thousands of backup tapes, some you keep onsite in a fireproof safe, but most are safely kept offsite in your disaster recovery location. The target file (or files) that you have been asked to delete can be on any of these backup tapes.

  1. So … how do you find the backup tape that stores your target file? Now … your files aren’t actually individually copied to your backup tapes. Your backup tapes store backup images and each image may contain multiple files. This means that you first must identify the backup image that contains your target file before you can determine which backup tape you must retrieve.
  2. Next … how do you delete your target file from the backup tape? Unfortunately, you cannot selectively destroy a backup image on a backup tape. You have to destroy everything else on that backup tape too. This doesn’t sound a viable approach – at least not to me. You may end up having first to duplicate out all the other backup images from the backup tape except for the backup image that contains the target file, and then perform (long) erasure of the backup tape. And – adding some more time consuming joy - if the backup image also contains other files that must be kept, then you first need to restore that backup image, delete the file, and then backup the rest again.
  3. Finally … depending on your data retention policies you are likely to have to repeat these steps for several more backup tapes.

I can feel your pain … 

The good news is that you have just under two-years left to go 'tapeless'.

By the 25th May 2018 your company must be compliant with the General Data Protection Regulation (GDPR) – of course subject to your company trading in or with the European Union. Article 17 of this new regulation addresses the ‘right to erasure’ (or ‘right to be forgotten’), which I believe will impact almost every company in the world.

Going 'tapeless' is easier than you may think …

Veritas successfully helps thousands of companies with their transition from a tape-based approach to a disk-based one, as their tape-systems are no longer fit for purpose. For example: companies that are unable to backup the increasing volume of their data within the backup windows. These companies are reporting an increasing number of backup errors or spending an increasing amount of time and money on just keeping the tape system running. To solve this problem, they must redesign their backup to make the backup process reliable, scalable, fast, resilient and cost-effective again. 

These companies choose the Veritas NetBackup Appliances to replace their tape-based systems. I see them often deploy the NetBackup Appliances in phases; starting with small or new sites, helping them gain experience before implementing the Veritas NetBackup Appliances company wide, which at that point is an easy, straightforward task. The benefits they feedback to me are remarkable and include:

  • Reduced tape costs for management, transportation and storage
  • Boost in backup performance ensures that backups complete within the backup windows and improves backup success rates
  • Reduced storage costs through 90%-95% (or even higher) data deduplication ratios and cost-per-terabyte licensing
  • Significant reduction in backup administration time frees staff for higher value tasks
  • Reduced support calls; platform reliability and stability makes 24×7 support easy to deliver

… but the most compelling benefit is that their data is now readily available. With a Veritas NetBackup Appliance, you assume control over your data. It delivers direct access to your backup copies – there are no tapes to retrieve and change which is a massive time saver – making that ‘right to be forgotten’ request so much easier to deal with.

Get ready for GDPR and boost your backup and recovery performance to a whole new level with the new Veritas NetBackup 5240 Appliance. Start today.

 Note: This post was first published on my Linkedin on 21 July 2016.

  • I have discussed this with some GDPR compliancy lawyers, and I believe it is yet to be decided whether the GDPR will actually require you to delete historic images, or if you just need to ensure that data is "offline" to the public and/or internal users.

    I don´t think anyone is yet sure how the GDPR will be interpreted in real life, and what the real-life requirements will be. With tapes it´s even more of a question, will the GDPR actually require you to physically overwrite the images on the tapes after expiring the image, or is it enough to just expire metadata from the catalog, i.e. no need to touch the tape, and actually less work for NetBackup compared to a disk-solution.

    As also stated, deleting the entire image would for most people not be the right solution, as it contains tons of other files that does not require deletion, so if this the way forward, we would need to restore the image, delete data and re-backup the data :-)

    Let´s all cross our fingers that over the next 2 years we will get a clear indication of how to interpret these rules, and that someone with just a little bit of technical indsight can make it clear to the suits, that we need a realistic interpretation.

  • Hi

    What are you saying here? Having 5240 doesn't give you the ability to remove certain files from the catalog/backup storage does it? Is there some change in the NetBackup code allowing you to selectively delete certain files from the catalog > disk.

    • arjanvp's avatar
      arjanvp
      Level 3

      Hi Riaan,

      Thanks for calling this out. Nothing has changed to the file deletion process.

      GDPR and in particular article 17 “right to be forgotten” will affect most companies. Once GDPR comes into effect, companies must “without delay” respond to a “right to be forgotten” request; deleting all personal data of that individual, and this includes his or her personal data that is held on backups.

      What I am saying is that the deletion process can be performed much faster and much more efficient on our appliances than on a tape-based system. If you use our appliances, then you have direct access to the backup images/ copies. You don’t have to retrieve and change backup tapes. The appliances also deliver a significant boost of the backup and recovery performance over a tape-based system.

      I promoted the recently released NetBackup 5240 Appliance in my CTA, because it is our next-generation appliance in the 5200 series with improved performance, higher capacity and price-optimized storage.

      Let me know if this answers your question?

      Thanks,

      Arjan

      arjanvp

      • RiaanBadenhorst's avatar
        RiaanBadenhorst
        Level 6

        Hi Arjan,

        Yes, tape might be easier than disk, but this operation will in no way be easy. Maybe now with infomap there would be some kind of indexing after the search feature was removed.

        I'm keen to see how this will be implemented.

  • Guys, I totally disagree! 

    Tapes is faster than Disk and cheaper as well. Othercase we can go for it but simply not true! Faster Backup slightly depens on Taper vs. Disk characteristics even more on other dimensions like FilesSystem, Type of File, Protocolls, Ethernet/SAN, drivers etc. I have more customers having slowe backcup than tape.

    What we can offer is multy stream backup, more granular and more simple. Easier to handle. 

     

    • Marianne's avatar
      Marianne
      Level 6

      I think you are missing the point of GDPR.

      MortenSeeberg seems to be summarising doubts and confusion regarding image deletion on backup media very well.