Today will talk about the 4th pillar in DPA which is to be accountable and implement a privacy and data protection measures and exercise that in a regular basis.
In both GDPR and DPA it is mentioned that an entity has to have:
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, accessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
In most organization since the Data Privacy Officer is a lawyer his mind is raising how the heck will I do that and since there are so many ISO that is being thrown into me. The answer is to incorporate your Business Continuity Programs to Data Privacy / GDPR
We need to look at two main metrics which are RPO and RTO. RPO – recovery point objective is our effectiveness to do go back in time to up our backups and RTO is your response to that incident
In order for us to be have a normal operation again. We need to have a maximum targeted period in which data might be lost from an IT service due to a major incident. Simply put how much data can you afford to lose? What data would be very costly and difficult to recreate? What it will tell you is how often you need to backup. Again, do not be tempted to say everything is vital and you need everything back. All data is not equal and put a value so you can prioritise it.
Your Disaster Recovery must be able to recover your data every time and on time. When a disaster like Ransomware hits, you want to be 100% confident that you can recover your data and get on with the job!
Some questions you should ask when doing a Disaster Recovery solution:
- Will this Solution deliver my RTO / RPO?
- Will this Solution work every time?
- If my physical server fails, can I recover this to a virtual environment? Or vice versa?
- Do I need to restore to the same hardware?
You MUST be able to test your Disaster Recovery plan. Do not let a disaster be your first test!