GDPR covers the requirement to have adequate DR provisions in place in order to comply, as outlined in article 32(1):
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.
to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Specifically, the Regulation stresses the importance of ensuring (1) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and (2) to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
As part of the business continuity planning process, it is good practice for an organisation to identify its key services and processes and to create a list of all known or anticipated threats that face them. These threats should include natural and man-made events. After identifying its threats, an organisation should risk assess these and focus on threats of highest priority. Priority is determined by likelihood or frequency and the consequence of the threat occurring.
When creating a business continuity strategy, there needs to be consideration of people, premises and technology that fulfil the achievement of mission critical activities. There is a risk that without the minimum staffing requirements being defined and alternative accommodation being available, the organisation will fail to deliver its service in the event of a disaster.
Management have a duty to raise the profile of business continuity and disaster recovery within the organisation, and this can be achieved only through their endorsement and the provision of awareness training.
A key area that ensures successful execution of a business continuity plan is thorough testing. Tests are designed to record lessons learnt and the likely recovery time. Once established, an organisation should review the outcome of the test to confirm that it meets their requirements. If this is not the case, the strategy or recovery processes should be amended.
Organisations should have backup arrangements in place based on the importance of systems and related data, and the frequency of data changes. For effective system recovery, the most recent backups should be stored offsite, in line with good practice. Regular tests of backups should be undertaken to ensure their reliability. In addition, there should be periodic tests of full system recovery.
As an example, data backups for all systems and data might be taken on a daily basis and two copies produced. One would be retained on-site and one tape sent off-site for storage off-site, where a rolling 2 months of data is retained. A test must be carried out every three months to demonstrate that data and information can be successfully recovered from backups. Management should implement a schedule of recovery tests to provide assurance that systems and data could be recovered in the event of a disaster.
When creating a business continuity strategy, consideration of the communication requirements (for voice and data) need to be established to fulfil the restoration of mission critical activities. An organisation which deals with calls and enquiries from the public might expect that telecommunications would feature within the business continuity arrangements.
Disaster recovery must be regarded as reaching far beyond I.T. and telephony systems, but even when reduced to how data is to be managed, accessed, and protected in the event of an organisational disaster there is much work to complete.