Our GDPR Compliance Project

The General Data Protection Regulations is coming - are you ready?

Protecting our customers’ data is a high priority for us here at RLS Computer Services. With the General Data Protection Regulation (GDPR) coming into effect in May 2018, we see this as an opportunity to strengthen our commitment in the area of data security.

What is the GDPR?

In the UK, the Data Protection Act 1998 (DPA) is a law introduced to protect personal data stored on computers or in an organisation filing systems. Its purpose was to control the way information is handled and gave people “Data Subjects” legal rights over the purpose, lawfulness, accuracy, period and what information was held about them.

Since the birth of the DPA, technology has moved on dramatically. Social media, Internet presence, mobile technology and CCTV have all emerged and grown and the act is long overdue an overhaul.

Enter, The General Data Protection Regulation (GDPR), which comes into force 25 May 2018, the new law applies to data processing carried out by organisations operating within the European Union (EU), It also applies to organisations outside the EU that offer goods or services to individuals in the EU. The government has already decided that “Brexit”, will not affect the commencement of the new law, in fact we “may” also see introduced on the same day the UK’s Data Protection Bill, as the Data Protection Act 2018, effectively implementing the GDPR into UK law.

So simply put, GDPR, and the forthcoming Data Protection Act 2018, expand the privacy rights granted to data subjects (EU/EEA individuals) and place greater obligations on organisations who handle personal data of those individuals (data controllers and processors), wherever those organisations are based.

What we’re doing to comply with GDPR?

The task of compliance can be long and complex, so we have taken steps to make changes to our policies, procedures and systems to ensure that we comply with the Regulation and continue to put data protection first.

Some of the steps we have taken and are taking include:

  • mapping all data handled by us and our suppliers
  • analysing GDPR requirements against our current processes and policies
  • making changes to our policies and procedures in line with requirements
  • making appropriate changes to our software tools and services
  • making sure our suppliers (“Processors”) are also compliant
  • reviewing and updating contracts, as and where appropriate
  • training all staff on the requirements of GDPR and our data privacy procedures.

But be assured, Organisations must ensure that they are compliant with the provisions of the new regulations when it comes into force, however the requirement to be compliant doesn’t end on 25 May. While there are a tick list of things to be done, our approach is not only to become compliant, but also reach beyond and gain certification in cyber security which will in turn assure our customers of compliance with our implementation to “Privacy by design and default”. This means we will implement technical and organisational measures to provide customers assurance of our security standards .

We hope to have all our policies and procedures in place before the 25 May and will keep you posted on our developments.

Social Share Toolbar

Data Retention Policies

What is a Backup Retention Policy?

A Backup Retention Policy governs the time that you keep backed up data, with it you would also consider the archive rules, format, method of storage, access policy and encryption. All of which must be documented for legal and privacy reasons under the DPA (including the new GDPR).

The most common retention policy used by most IT professionals is the Grandfather–Father–Son method for maintaining a period of tiered restore points. This method is a rotation scheme whereby a daily backup (the son), a weekly backup (the father) and a monthly backup (the grandfather) are created to maintain a good backup strategy.

Simply put, each week the backup from the last 7-days (daily backup) is aggregated into 1 backup called the son and is held as the weekly backup. Each 4-weekly is then aggregated from a son to a father and is held as the monthly backup and finally the last 6 months is then aggregated from a father into a grandfather and becomes the last 6-months backup. This process can vary depending on your retention policy, your legal requirements for completing data backups and how often you implement a backup (i.e. hourly vs. daily or monthly vs. 6-monthly).

For legal purposes in building your retention policy you need to consider what the impact would be if you needed to recover lost data and over what period. If for example your backup policy was:

  • Daily backups – 7 days
  • Weekly backups – 4 weeks
  • Monthly backups – 6 Months

This would mean that for an initial loss of data that was immediately recognised by a user you would resort back to the previous day, if however, the mistake wasn’t immediately acknowledged, and it was a couple of weeks later you would resort to looking through weekly logs for the missing file and if the issue didn’t manifest a good few months later you would have to restore to searching in the last 6-months log for the file. However, you now need to consider if this is both acceptable for your business and for the data subject. It could be that the impact on business might have a financial cost or it could be that a data subject has put in a SAR (Subject Access Request) which must be complied with within 30-days (under GDPR) and you don’t have the information at hand. Therefore, a policy needs to be clearly drafted considering all scenarios considering the worst-case scenario’s

Social Share Toolbar