Databack - Récupération de données
Request a quote
THE BLOG

RGPD, PCA/PRA: The challenges of data recovery

issues-recovery-data

Data recovery poses real challenges for businesses. The entry into force of the RGPD (General Data Protection Regulation) and the challenges of BCP/ERP place it at the heart of Information Systems (IS) governance. And the very existence of the company may depend on it.

RGPD: legal obligations and data recovery

The RGPD, a European regulation on the protection of personal data with an effective date of May 25, 2018, is not a directive but does have the force of law! As such, the penalties incurred by the CNIL for infringement can amount to up to 20 million euros or 4% of the company’s turnover.

The scope of the RGPD should not be underestimated: it considers personal data to be any information relating to a “natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (…).” (art. 4(1)). The smallest customer references, HR information, data associated with a digital badge, etc. are therefore personal data.

In order to comply with the RGPD, companies must therefore take all necessary measures to secure the processing of personal data. This includes “protection against unauthorized or unlawful processing and against accidental loss, destruction or damage” (art. 5(1)(f)). Beyond data protection, the GDPR requires the company to implement “means to restore the availability of and access to personal data within an appropriate timeframe in the event of a physical or technical incident” (art. 32(1)(c)).

Data recovery at the heart of disaster recovery plans

Data recovery is therefore by no means an anecdotal component of the RGPD. In addition to the provisions of Article 32, the RGPD enjoins companies to declare to the CNIL any incident involving a personal data breach. This mandatory declaration must, among other things, “describe the measures taken or proposed to be taken by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any negative consequences” (art. 33(3)(d)).

Data confidentiality, integrity, availability and resilience as defined by the RGPD now influence a company’s risk management policy. They also condition the development of the BCP/ERP (Plan de Continuité et Plan de Reprise d’Activité) and, where applicable, PRI and PCI (Plan de Continuité et Plan de Reprise Informatique).

Data loss is in fact the most recurrent consequence of disasters that can affect a company. Since the aim of a BCP/ERP is to enable the company to recover, or at least operate in degraded mode, in the event of a disaster, data availability remains a top priority. While it is naturally advisable to limit the impact on the company’s sales and brand image, it is now being drawn up with a view to limiting the legal impact.

Get a free quote
18 June 2018
Back to blog

list of latest articles

KEEP IN TOUCH

SUBSCRIBE TO OUR NEWSLETTER

By entering your email address, you agree to receive the Databack newsletter. You can unsubscribe at any time by clicking on the unsubscribe link at the bottom of the content. You can consult our privacy policy to find out more.
Databack Linkedin