Friday, 28 July 2017
Over recent blogs, I have outlined some of the data security issues that recruitment agencies need to consider when preparing for GDPR, including data access control and securing your data from insider threats.
Today I wanted to talk about effective backup of your data, as this also forms an important part of your GDPR compliance obligations. In fact, protecting your recruitment agency’s confidential data and email is paramount, not only for GDPR compliance, but also to ensure your agency is not impacted by an IT problem. As such, it is vital that backups of data are being held. However, not all backups are equal! In fact, backup takes many forms, and in most cases nowadays there is a need for a multi-layered backup strategy in order to provide full protection of data. As a provider of a secure private cloud platform for recruitment agencies, I am all too well aware of the technical complexities and potential pitfalls of data backup and recovery, so I thought it would be useful to share some information on the various different types of backup that are available, along with the pros and cons of each, and the scenarios when you would employ each type of backup.
This is where a copy of your data is sent to the cloud either periodically or in realtime as files are updated.
Cloud backups are a useful way of keeping a copy of your data offsite, which provides for extra protection in the event of a disaster on your premises, which might wipe out locally held backups as well as the live servers.
The effectiveness of this type of backup depends on the volume of data you are holding/changing and the speed of your internet connection. Where there are large data volumes involved and limited internet speed/capacity they are not always practical.
There are also security considerations around confidentiality of data that it is important for the agency to understand – for example where is your backup data being stored in this scenario? Does it remain in the UK or EEA? Is the data centre where it is housed suitably secure (e.g. ISO27001 certified)? Is your data encrypted, both on the backup provider’s servers and whilst it is in transit?
It is also important to understand whether the provider is retaining multiple historical versions of each file, or just the latest backup.
With suitable due diligence and appropriate internet connectivity, online backup can be a good solution for retaining up-to-date system backups.
This is where a copy of your data is taken periodically to a removable media such as disk or tape. This provides a very useful form of backup as it is held off-line and therefore can't be attacked by cyber security threats such as ransomware. Offline backups can also be useful to facilitate fast restoration, since you do not need to pull the data back over the Internet.
It is very important to ensure that any removable media backups are kept physically separate from live systems, and ideally off-site, as otherwise there is the danger that a problem which incapacitates your live system may also wipe out the backups.
Bear in mind that removable media backups are not usually run in real-time (an overnight backup is typically the norm), so there is likely to be some data loss if you do need to restore from this type of backup, as well as some downtime while the restore takes place.
However, it is best practice for a cycle of backups to be taken, which does then provide the facility to restore everything back to a given point in time. This can be particularly useful when a corruption or a cyber infection has occurred, since it allows the system or individual files to be restored back to a point in time before the problem occurred.
Real-time replication to another server works well when no downtime can be tolerated, but bear in mind if a corruption or accidental deletion of a file occurs, that this will be replicated in real-time to the backup server too.
Recovering Your Data in a Disaster
Backups are vital, but if you cannot recover them in a timely fashion, or without undue data loss, then they are of little use.
So in your GDPR preparation, it is important to consider for how long your agency could cope without access to each of your IT systems and/or data repositories. This is likely to vary from system to system; for example you may be able to tolerate no downtime on your email server, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your plan needs to go through each system you use, considering how long you could live without it. The second key consideration is around data loss. Again for each system you need to be clear how much data loss, if any, would be acceptable and tailor your disaster recovery systems accordingly. If no data loss is acceptable, then a real-time replication solution should be considered. If some data loss is acceptable in a disaster scenario, then you may be able to live with backups that run daily or hourly.
Finally, never underestimate the importance of having a written disaster recovery plan and having tested it on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. So regular testing is paramount, bearing in mind that your IT systems are constantly evolving and being updated.
I hope this gives you some key pointers for preparing your IT systems for GDPR from a data backup and recovery perspective. Should your agency require help in clarifying its current backup strategy and ensuring it is aligned to your agency’s current business needs, as well as GDPR compliance requirements, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on firstname.lastname@example.org or email@example.com when we will be happy to help.
Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client and candidate data is centralized and secure. For more information please visit our website www.xc30.co.uk/recruitment