The forthcoming implementation of the General Data Protection Regulation (GDPR) is often presented as a potential threat to all companies handling personal data. But is that really the case? On the opposite, does it not constitute an opportunity to strengthen security and promote the company’s sustainability? The protection as described in the European regulation may apply to all data, including those not of a personal nature. Thus, Article 32 on the security of processing states that the data controller and the processor must implement all technical and operational measures in order to ensure a level appropriate to the risk, inter alia pseudonymisation and encryption, the guarantee of the integrity of the transmitted data and access security, as well as the availability of the data within appropriate time limits in the event of a physical or technical incident.
Data availability has become a key issue for businesses. The slightest loss can have damaging consequences on the turnover and image of any organization. According to SailPoint’s Market Pulse survey of 600 IT decision makers from leading companies around the world, 71% of companies say they are not fully equipped to protect unstructured data, according to SailPoint’s 2017 Market Pulse survey. The figure is worrying and demonstrates the urgency of implementing a Disaster Recovery Plan or DRP or Business Continuity Plan (BCP). The first one allows to rebuild the IT infrastructure from a few hours to a few days and to test the integrity and resilience of the information system. The second allows virtually no interruption of service thanks to a very short changeover time from the primary site to the backup site. Not least, the mirror site can also be used as a basis for data analysis (Data Analytics) without any impact on the performance of the production site.
There are different ways to obtain a DRP or BCP. Two factors will determine its depth and complexity: the maximum duration of interruption (Recovery Time Objective or RTO) and the maximum data loss (Recovery Point Objective or RPO) that the company can allow during a breakdown or incident. There are several options for duplicating the technical infrastructure: either internally – but this requires significant resources – or externally through a third party organisation and via a private or public cloud, or in a hybrid way. The choice of data replication solutions can also be crucial for the implementation of a DRP or BCP. The ones proposed by the big publishers are often expensive, but there are open and adaptable alternatives.
Regardless of the depth and complexity levels chosen, a DRP or BCP is not static and follows a continuous improvement process. It must be tested regularly to verify its effectiveness and optimize its operational character in a constantly evolving company. For a disaster recovery plan, tests should be performed at least once a year – ideally every six months – and at least once a year, with minimal data escalation. On the other hand, tests are carried out on an ongoing basis as part of a business continuity plan and regularly include – at least once a month – switching from one site to another.
By following the best practices described above, you not only meet the requirements of GDPR, but you also ensure the survival of your business and strengthen your ties with your customers and prospects. It can never be said enough: proving your security and data protection skills is the best-selling point!