General Data Protection Regulation (GDPR)

Availability for the Always-On Enterprise

General Data Protection Regulation (GDPR)

Veeam Logoby paulhardy » Mon Feb 13, 2017 11:49 am

Just wondered how many of us have started thinking about the impact of GDPR on backups or rather the potential need to remove personal data from backups at the request of an individual? Although I think its unclear if the data removal extends to all backups but is covered in Acticle 17 ' right to erasure'. I'm not a GDPR expert infact only recently came across the news this comes into force MAY 2018!

https://en.wikipedia.org/wiki/General_D ... Regulation

Interesting world trying to protect against ransom attacks with air gapped backups, as mentioned in Gostev digest, but also the potential conflicting requirement to automate the removal of data. :)
paulhardy
Influencer
 
Posts: 14
Liked: never
Joined: Thu Jul 30, 2009 4:08 pm
Location: Cambridge
Full Name: Paul Hardy

Re: General Data Protection Regulation (GDPR)

Veeam Logoby Mike Resseler » Mon Feb 13, 2017 12:26 pm

Paul,

As far as I see it, this won't be applicable to backups. The right to erasure is important for production data which is "live". However, having a backup of that data does not mean you also need to delete that data from the backups. What happens when you have a legal issue afterwards and you need the data in court?

I hope though things will become more clear in the future :-)
Mike Resseler
Veeam Software
 
Posts: 2780
Liked: 340 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: General Data Protection Regulation (GDPR)

Veeam Logoby Gostev » Mon Feb 13, 2017 6:15 pm 1 person likes this post

That would be a nice loop hole if this was applicable to backups! Open a bank account, do some money laundering, and then exercise my right to erasure to delete all traces of me from everywhere, including backups! Ermm no, I don't think this is happening :D

And let's not forget WORM tapes and storage devices, from which you are physically unable to delete any part of data once you put it there.
Gostev
Veeam Software
 
Posts: 21139
Liked: 2301 times
Joined: Sun Jan 01, 2006 1:01 am
Full Name: Anton Gostev

Re: General Data Protection Regulation (GDPR)

Veeam Logoby ChrisJ83Knights » Mon Mar 06, 2017 4:45 pm

Hi

Does anyone know the official line on this?

I was told it would include backups and that we should only look to be planning for 1 years retention and then the practice management software would deal with GDPR.

I have always worked towards keeping 7 years backups but am unsure how GDPR will affect this.

Many thanks
ChrisJ83Knights
Novice
 
Posts: 6
Liked: never
Joined: Tue Jan 10, 2017 3:06 pm
Full Name: Chris Johnson

Re: General Data Protection Regulation (GDPR)

Veeam Logoby Mike Resseler » Mon Mar 06, 2017 5:29 pm 3 people like this post

Hi Chris,

From what we can see today, backups are included as following:

1) When you store data with is considered personal or sensitive data (customer data for example) then the data of habitants of the European union (the backup) should reside in the European Union (location) and even the backup copy jobs or tapes should be there unless you have a system where the customer (each and one of them) has given you permission to store it outside the US. You need to be able to prove that with reporting

2) You are allowed to have data of such kind on your backups, even if that person already has claimed his right to be forgotten. However, you are not allowed to do a restore of that data (unless in a case of a lawsuit or similar)

Then there is quite some things where you can put your backups at work to prove things for auditors or that your (soon to be appointed data protection officer (DPR)) can use to prove that you are compliant. Reports from Veeam ONE can prove that you are using SureBackup and therefore test regularly to prove that you are regularly test and assess of the effectiveness of your GDPR measures (it is a part of a whole system but certainly proves the backup / DR part already). Another example would be the Protected VMs list report that would give you a proof that you are safeguarding your data (and the data of an individual from the European Union)

So to summarize: As of today, what we know, backups won't be affected that much by the GDPR, however, the Veeam Availability Suite has reports and data that can help your DPR to prove the compliance

Hope it helps and makes sense
Mike
Mike Resseler
Veeam Software
 
Posts: 2780
Liked: 340 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: General Data Protection Regulation (GDPR)

Veeam Logoby paulhardy » Mon Mar 13, 2017 8:35 am

Thanks for your feedback everyone
paulhardy
Influencer
 
Posts: 14
Liked: never
Joined: Thu Jul 30, 2009 4:08 pm
Location: Cambridge
Full Name: Paul Hardy

[MERGED] Possible backup nightmare...

Veeam Logoby ChrisCA » Tue Apr 18, 2017 8:13 pm

I've been looking into requirements for the incoming general data protection regulations and there's an interesting new set of requirements regarding the right to erasure, where there is an obligation on any business holding individuals data to delete it once it is no longer required, or if requested. I checked with the Information Commissioners Office and they consider that to include removing the data from backups.

This should be interesting...

Is there any mechanism in Veeam to remove data from an existing backup or backup chain?
ChrisCA
Service Provider
 
Posts: 15
Liked: 3 times
Joined: Tue Feb 14, 2017 4:34 pm
Full Name: Chris

Re: General Data Protection Regulation (GDPR)

Veeam Logoby Mike Resseler » Wed Apr 19, 2017 5:47 am

Chris,

Who is the information commissioners office? Because from what we know, there is no need to remove that data from the backups. On the contrary, it would make every legal action afterwards impossible. As Anton stated above, we would create the perfect scheme for money laundering.

What we do know is that when you do a restore, you will need to make sure that the data that is erased suddenly does not reappear again.

Anyway, if you would give me some more details about that Office, that would be appreciated as I will investigate further
Mike Resseler
Veeam Software
 
Posts: 2780
Liked: 340 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: General Data Protection Regulation (GDPR)

Veeam Logoby ChrisCA » Wed Apr 19, 2017 8:07 am 1 person likes this post

Hi Mike,

The ICO is the UK's organisation set up originally I believe for the data protection act which is going to be "policing" the gdpr. Anton's point is dealt with on this page - https://ico.org.uk/for-organisations/da ... o-erasure/ under the section "when can I refuse to comply with a request for erasure?".

Your points above sound interesting re being allowed to keep data in backups and that definitely seems to be the best way of handling it. My worry is backup isn't mentioned in the regulations at all, and I had a webchat with a rep from the ICO where he confirmed that data should be removed from backups.

Interestingly there is a loophole where cloud connect repos wouldn't fall under the same requirements, assuming you guys are working on a way to "airgap" backups to vcc :)
ChrisCA
Service Provider
 
Posts: 15
Liked: 3 times
Joined: Tue Feb 14, 2017 4:34 pm
Full Name: Chris

Re: General Data Protection Regulation (GDPR)

Veeam Logoby Mike Resseler » Wed Apr 19, 2017 8:39 am 1 person likes this post

I think that the ICO rep might not be 100 percent correct. We (at Veeam at least) are continuing to investigate this but as you see for yourself, there is a lot of confusion around this new set of rules. And backup is indeed not mentioned anywhere (besides article 25 but that is about making sure that you can recover the data :-)).

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed

As long as we are talking about payments, orders and so on... the data remains necessary for accounting and legal and whatever purposes so if there has been some sort of action, then that data certainly should not be deleted.

Feel free to share more information that you received. We continue to look at it and discuss this internally

Thanks
Mike
Mike Resseler
Veeam Software
 
Posts: 2780
Liked: 340 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: General Data Protection Regulation (GDPR)

Veeam Logoby ChrisCA » Wed Apr 19, 2017 8:54 am 1 person likes this post

I'm really hoping the ICO rep isn't correct - can you imagine dealing with this in windows server backup?

Its definitely an interesting problem. There just doesn't seem to be any workable way of achieving what the gdpr is trying to achieve with current backup technology, but without the requirement to remove data from backups the right to erasure seems completely pointless. How do you manage the difference between say a copy of an excel file and a backup?
ChrisCA
Service Provider
 
Posts: 15
Liked: 3 times
Joined: Tue Feb 14, 2017 4:34 pm
Full Name: Chris

Re: General Data Protection Regulation (GDPR)

Veeam Logoby dellock6 » Wed Apr 19, 2017 10:33 am 4 people like this post

I feel like the difference is more in the involved procedures rather than technical. With live data I can just open them and access the information they hold, like in your example, I just need to open the excel file and read its content. With backups, in order to access the data again i need to start or request a restore operation; if this operation is forbidden in some way (it may be technical or simply a procedure) then the data cannot be read again unless the restore is completed.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 4876
Liked: 1280 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Re: General Data Protection Regulation (GDPR)

Veeam Logoby Gostev » Thu Apr 20, 2017 12:40 am 4 people like this post

What Luca said makes perfect sense. Online data is readily available to all production applications and processes. Backups, on the other hand, are usually impossible to get to (even without GDPR, most companies secure access to their backups very tightly, because it is the easiest way to steal company's data).

One interesting fact here is that erasure of data from production automatically turns "backup" into "archive" (as the very difference between backup and archive is whether the protected data is still present in production). While it sounds like a subtle difference, you have to keep in mind that there are existing legal requirements associated with the data archival when a company is legally required to perform one. For example, to be compliant you must ensure data immutability - that is, at any point of time the archived documents retrieved from the archiving system must be the same as originally saved in the system. In other words, you can't simply delete a person from an archived spreadsheet, because as soon you do this to "meet" GDPR, you will instantly fail at another equally important legal requirement. Catch-22? Although, as I have already noted - purpose-built, certified data archival systems ensure immutability by simply not supporting modification of data (WORM tapes, hardware-based write lock for disk storage, etc.)
Gostev
Veeam Software
 
Posts: 21139
Liked: 2301 times
Joined: Sun Jan 01, 2006 1:01 am
Full Name: Anton Gostev

Re: General Data Protection Regulation (GDPR)

Veeam Logoby SBarrett847 » Fri May 05, 2017 10:42 am 1 person likes this post

This topic has come up in discussion in our company - any legal opinion we've received has told us that we must delete ex customer data, including from Archive tapes. I'm not sure the received Legal opinion is fully cognisant of the Technicality of what this involves.

I think an Official Line from Veeam as to their understanding of the situation would be very helpful for customers, planning deployments, and dealing with Legacy Archives.
SBarrett847
Service Provider
 
Posts: 124
Liked: 22 times
Joined: Tue Feb 02, 2016 5:02 pm
Full Name: Stephen Barrett

Re: General Data Protection Regulation (GDPR)

Veeam Logoby Mike Resseler » Fri May 05, 2017 1:28 pm 4 people like this post

Stephen,

We are also in the process of dealing with legal to get a definitive answer. But that seems to be the issue... Some say it needs to be deleted (despite the fact that if you delete customer data, you are suddenly in an area where you can't prove anything anymore in case of legal issues). Others say that you are not obliged to delete it unless you make the retention for keeping data (depending on your vertical).

We are working on an official statement as we speak, but I prefer to be a bit slower with it to make sure it is correct and not a bunch of nonsense which seems to be more common these days when it comes around GDPR :roll:
Mike Resseler
Veeam Software
 
Posts: 2780
Liked: 340 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Next

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: aleksandr.markovskij, Google Feedfetcher, Samirang, Tomasz Turek, Yahoo [Bot] and 44 guests

cron