Backup Data Privacy Compliance

This post is part of a sponsored ComplyTrust blog post series. To learn more about ComplyTrust, please visit complytrust.com.

Backups are one of the few data repositories where most if not all an organization’s data, often coming from disparate systems and sources, is centralized and searchable. Backup Data Privacy Compliance refers to that data retained in backups remains compliant with data privacy regulations.

One of those regulatory topics relates to Data Subject Access Requests (DSARs) raised by individuals (or data subjects), and eventual subsequent queries, such as modification of personal data, or its entire removal through Right of Erasure (RoE) requests, as outcomes of Right-to-be-Forgotten (RtbF) prerogatives granted under privacy laws.

Challenges of Backup Data Privacy Compliance

Compared to live data, backups are a bit special and have specific challenges. Those listed below are usually net positives when it comes to securing and optimizing an organization’s data protection footprint. They can however have a negative impact from a data privacy standpoint:

  • Data placement: data from various legislations may be centrally backed up in one or more regions for cost and manageability reasons, whether on-premises or on public clouds, causing potential compliance issues with data sovereignty regulations.
  • Efficiency: Data reduction mechanisms help reduce backup footprint, but can make it more complex to rehydrate, retrieve, and eventually remove data.
  • Immutability: to prevent against data tampering, accidental or malicious deletion, a growing count of data protection solutions are implementing immutability features, often tied with object storage. Depending on how immutability is implemented, this can prevent access and removal of data.
  • Security: Backups are a crucial part of business continuity strategies and the last measure to recover compromised systems. Air gapped backups provide strong protection against data compromission but increase the difficulty of handling DSAR and RoE requests.
  • Scope: Besides traditional infrastructure-based backups (whether backed-up data resides on-premises or in clouds), many organizations also rely on SaaS solutions such as Office 365, Salesforce, and more. These are also relevant targets for backup data privacy compliance.

Maintaining Backup Data Privacy Compliance

Not all the challenges above can be successfully addressed due to the inherent design either of backup systems, or the security and immutability features. Even if a DSAR request is successfully processed and a user’s personal data is removed from all live systems, this data could still reside on backups.

Although dormant, this data could be reinjected into production systems in case of backup restore operations or, perhaps worse, backed up data could be restored to be used for dev & test use purposes. Unfortunately, data security is often disregarded in dev/test use cases, with many documented cases of public data exposures / breaches caused by lack of basic security controls, notably when data is (re)stored on public clouds. It’s correct to argue that data should ideally be anonymized, but this still doesn’t remove the regulatory burden of ensuring that no personal data is retained after a RoE request.


Organizations therefore need to have tools and processes in place to continuously monitor, identify, and remove personal data that should no longer be present on its datasets and applications.

The Case of SaaS Backups Data Privacy Compliance

SaaS platforms (such as Salesforce and others) also propose backup solutions. While these platforms propose data privacy tools, the capabilities are often limited in scope with manual monitoring and reconciliation processes.

As pointed out previously, data restores can reinstate personal data that should no longer be present in production systems, a point that holds true even for SaaS-based platforms. Furthermore, without continuous monitoring, identities could be added either from a re-enrollment (new customer purchase for example) or through other activities such as mergers & acquisitions, or purchase of 3rd party customer information.

ComplyTrust’s Forget-Me-Yes® (FMY) tackles this challenge by locating, organizing, and managing data subject personal information in a secure, efficient, and persistent way. The solution performs initial query and deletion from all data record sources; it records the information in an audit log to provide regulators proof that RtbF / RoE requests were effectively performed.

The solution also maintains a multi-level encrypted and secure personal information record in a database to perform automated persistent checks (re-query and delete), providing the assurance of continuous compliance with data privacy laws.

Conclusion

Maintaining data privacy compliance in the context of backups presents unique challenges, reinforced by the complexity of existing, pre-privacy laws deployments. Organizations should take these potential roadblocks into account when redesigning their backup infrastructure. 

Dynamic and changing regulations combined with a fluid geopolitical situation mandate the need to build flexible architectures which enable leaner processing of regulatory requests and allow rapid reorganization of backup data flows and data placement.

But lean backup architectures alone cannot tackle the regulatory challenges, and without automation, the task of maintaining compliance is unachievable at scale.

ComplyTrust’s Forget-Me-Yes® offers a trusted, vendor-agnostic zero-knowledge SaaS solution that can be seamlessly integrated with any data protection solution through an open, API-driven structure. FMY delivers end-to-end management of RtbF and RoE requests in compliance with major international regulations such as GDPR, CCPA, LGPD, PIPL, and more.

With automated query / deletion, integrated audit trails, and continuous state assessment and remediation, the solution delivers formidable outcomes, freeing organizations from cumbersome manual activities.

by Max Mortillaro

All brands, images and names are property of their respective owners.

The ComplyTrust Team.