Is a Tape Environment Compatible with the GDPR?

Reading time for this article .

General data protection regulation or GDPR and protecting your data imageWhat is GDPR?

The General Data Protection Regulation (GDPR) is a newly implemented regulation concerned with the collection, handling, storage, protection and deletion of personal information of individuals within the European Union (EU). While reforms were agreed upon in December 2015, organizations were not expected to be compliant until May 25, 2018. The main points of the ruling are:

  • Organizations must protect data assets containing the personal information of EU residents.
  • Organizations must maintain the ability to delete such data and are required to do so upon the request of the individual

Organizations that do not manage and protect personal data appropriately face serious fines under the new regulation. This considerable penalty is why this regulation is getting so much attention, not only in Europe, but across the world.

Spectra Storage and Privacy

For the bulk of Spectra customers, Spectra products do not play a significant role in data privacy, as authorized access is typically handled at a higher level of system software.

However, Spectra’s object storage solutions offer data search and delete capabilities as well as tape cleanup to aid with GDPR compliance. Spectra also offers various encryption technologies, allowing libraries, partitions, and even individual tapes to be independently encrypted. Full hard drive hardware encryption is also available. Additionally, larger libraries are often located in controlled access data centers.

Protecting Your Data

Cybercrime is one of the main causes of data breaches, and many organizations know that tape technology is the best solution to protect data against ransomware attacks. From encryption to the concept of the ‘Tape Air Gap’, tape-based offline storage offers unique advantages in this scenario. In today’s world, where cybercrime is a growing threat, the ability to create a physical air gap using tape technology to prevent data from being hacked is one of the main benefits of tape storage. There is currently no ransomware designed to attack virtual drives and access tape. And unless criminals have physical access, it is impossible for them to reach offline media.

Many organizations using disk-based backup are utilizing compression and deduplication as a method of protecting their data in the event of a problem, but most don’t believe that a single copy of their backups is enough. . . enter tape. Tape can be the backup to your backup, protecting your data against online viruses while still being compliant with the GDPR.

The Right to be Forgotten

There have been many questions around the phrase “right to be forgotten” in the GDPR. How quickly do you need to be able to delete data upon request? What if the data is encrypted?

When evaluating the language of the regulation, it becomes clear. Under the GDPR, organizations are permitted to keep data on a backup copy as long as the data is protected through encryption, is not accessed again, and is deleted once it is no longer needed (i.e., when the backup expires). In other words, if an individual asks for the right to be forgotten, organizations are not obliged to immediately delete a specific data file. It’s acceptable under the law to inform the subject that your organization has an encrypted copy on tape to protect their personal information against ransomware, and that the data will expire and be deleted in a reasonable timeframe (you have one month to acknowledge a data subject request).

Tape has an important role to play in your organization’s journey to protect EU residents’ personal information and your production data against ransomware. Most backup software vendors know how to handle tape. As long as you use tape as your last line of defense, following the 3-2-1-1 data protection rule, it should be easy to be compliant and safe with tape.

General data protection regulation or GDPR and Spectra Stack Image