“Right to be forgotten” clauses in recent data protection regulations such as the GDPR and the California Consumer Privacy Act require organizations to delete customers’ personal data upon request. That can create complications for data backup and disaster recovery operations.
These data deletion requirements mean that organizations must be able to identify and purge every instance of a consumer’s personal data. That is a significant challenge in organizations that may have several years’ worth of backups along with duplicates housed in redundant data centers or cloud platforms for DR purposes.
The data retention requirements of other federal, state and industry regulations contribute to the challenge. HIPAA, for instance, mandates that healthcare organizations must retain certain types of data and documents for a minimum of six years. Sarbanes-Oxley requires businesses to hold some billing and tax information for seven years and customer invoices for five years.
Finding instances of specific personal data in your regular backups and offsite duplicates is not an easy process. Your backups might be in a variety of proprietary formats, depending on the backup software you use. Manual tagging and scripting can make files searchable, but that is an incredibly time-consuming process requiring exorbitant levels of staff resources. Even then, it may not always be possible to find personal data inside a spreadsheet or a relational database management system.
Data Growth Challenges
Another challenge is that organizations often don't really know what or how much data they have. Data stores are growing by as much as 65 percent annually, but studies suggest that more than half of all global data is “dark” data of unknown value. One study estimates that as much as 85 percent of all data being processed and stored by organizations around the world is functionally useless.
Given these challenges, many industry analysts argue that finding and deleting personal information in backups simply isn’t practical. Only the very largest enterprise organizations have the manpower and resources to manage hundreds or even thousands of terabytes of data. Some experts suggest the best most organizations can do is manage backups with care and take steps to prevent unauthorized access. In the event the backup data is needed, personal information could be detected and erased before it is restored.
Backup-as-a-Service (BaaS) and Disaster Recover-as-a-Service (DRaaS) solutions can make compliance much less demanding for most organizations. They enable near real-time data backup and restore operations from offsite IT infrastructure but shift much of the data governance burden to a third-party provider.
Although they are related services, there are significant differences. In BaaS, a provider backs up data to remote storage but doesn’t provide any infrastructure protection. With DRaaS, the provider hosts or replicates infrastructure offsite, providing both data and infrastructure protection in the event of a disaster.
RMM Can Help
Either approach can improve your compliance footing — if you are working with a qualified provider. Top providers will have compliance and risk-management expertise, and a comprehensive framework to ensure the availability, accuracy, integrity and security of your information assets.
RMM Solutions offers both BaaS and DRaaS options along with a variety of other data protection solutions through our state-of-the-art data centers. We support customers’ compliance efforts through our two Tier III data centers, which have SOC 2 Type 2 certifications that demonstrate the highest standards of security, confidentiality and privacy.
Regulations such as the CCPA and GDPR assure consumers that organizations are committed to protecting their personal data. The sheer quantity of data in play makes compliance a challenge, however. Backup and disaster recovery services from RMM can provide a framework for making it more manageable.