After the general overview and the delving into the first and second principles in our GDPR journey, it is time to look at the third principle: Protect the data. As a reminder, below are Veeam’s 5 lessons or 5 key principles in the GDPR journey:
- Know your data
- Manage the data
- Protect the data
- Documentation and compliance
- Continuous improvement
There are many Information Security articles about protecting your data. Implementing and ensuring data protection heavily relies on tools and technology. While tools and technology are essential in protecting data, it is not sufficient. Protecting your data comes from article 25: Data protection by design and by default, and it is more than technology alone.
This means that you need to be able to make the data available at any moment or make it available again as soon as possible when something has happened. Putting security on your gates, both physical and digital is required, but extends far beyond this: restricting access, auditing who gains access and does what, monitoring, and implementing protections against malware. Finally, ensuring a solid backup and Availability plan with regular testing and validation is essential. We believe that backup and recovery should become a required part of all new projects and built into the fabric of the organization.
It is also important to realize that despite best efforts, data protections may be breached. Plans and processes for this event should be introduced. Most organizations will have heard about the breach notification principle. If you discover a breach, you are obliged to notify the authorities as soon as possible. Implement a plan that specifies the responsibilities of each team in the event of an incident.
Last but certainly not least, don’t forget about your data assessment impact. Whenever you need to perform maintenance or upgrades, there is always a risk associated to it. Put processes in place and test updates in advance of their rollout
Data protection by design and by default is more than security alone. It is a combination of security techniques such as firewalls, network restrictions and hardening, protection against malware, internal education, role-based access control, impact assessments, backup and DR and much more. Besides taking this as a required part of any new project deliverable, you should revise all your existing workloads and apply those principles against them — both internal ones, as well as external hosted services.