GDPR and Your Data Protection Operations

The Bocada Team | May 24, 2018

Does your organization offer goods or services within the EU, monitor EU residents’ behaviors or have any type of physical or virtual presence in the EU? If so, you’re likely subject to the General Data Protection Regulation, more commonly called GDPR.

Adopted in 2016, GDPR becomes enforceable as of May 25, 2018 and governs data protection and privacy for individuals within the EU. While it aims to simplify international business by consolidating regulations within the EU, it represents a new level of regulatory burden for data protection and storage operations in the region.

Below are the specific GDPR provisions that impact storage and backup administrators, and suggestions about how you can keep your backup processes in sync with GDPR rules.


In its aim to protect the rights of individuals over their data, GDPR include several key articles that have direct implications for data storage, storage visibility, and reporting on storage activities.

Article 4 Definitions

What It Says “For the purposes of this Regulation: (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”

What It Means For Backup Article 4 broadens the definitions usually associated with a customer’s or user’s personal information making it that much more important for organizations to have their finger on exactly what is being collected about each and every user, know where the information is stored, ensure that they have the space to store it, and have the policies in place to delete it.

To determine if your environment is prepared for the additional onslaught of data brought on by Article 4, ask yourself if you have:

  • Access to backed-up customer or user information across geographies, even if it’s outside of EU territory.
  • The right retention policies in place to assure no more personal data is retained than is absolutely required by the needs of the business.

Article 17 Right of Erasure

What It Says “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”

What It Means For Backup Article 17 forces organizations to be able to pinpoint a user’s data across their entire backup environment so that it can be deleted in its entirety, no matter where it exists.

To determine if your backup storage and processes can meet Article 17’s guidelines, ask yourself if your current backup protocols let you:

  • Know if information has been duplicated and, if so, where duplicative data lives across your backup environment.
  • Assess if information is stored on-prem, in the cloud, or both.
  • Determine if legacy data is stored in vaults or on tape.
  • Provide sufficient reporting or documentation to verify that data has been erased.

Article 32 Security of Processing

What It Says “…The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

What It Means For Backup Article 32 directly tells organizations that all backed up personal data must be encrypted. Additionally, not only must they be able to restore data in the event that it becomes deleted or corrupted but they must also have a process in place for assessing how effective that restoration process really is (e.g. data audits).

To determine if your backup storage and processes can meet Article 32’s provisions, ask yourself if your existing procedures:

  • Let you see if data is successfully backed up across your entire backup environment.
  • Ensure easy pinpointing of backup failures for quick troubleshooting.
  • Alert you when critical data fails to backup up correctly.
  • Make it simple to report on the efficacy of your backup efforts and your backup health to internal and external stakeholders.
  • Allow you to quickly respond to information requests related to backed up data.


GDPR offers value to end users and consumers by giving them greater control over their personal information. However, in doing so, it adds extra work and complexity for data protection organizations, further stressing your already time-pressed teams.

For teams looking to balance existing protocols with new regulations, automating backup and backup reporting activities can be an effective way to minimize the time needed to stay compliant while effectively overseeing your backup space. When considering tools to automate your activities, consider only those that:

  • Ensure compliance with data sovereignty laws
  • Enable reporting across your entire suite of backup software solutions
  • Consolidate monitoring under a single pane
  • Reduce or remove manual reporting and script writing
  • Function across a full spectrum of backup storage destinations
  • Aggregate backup activities across business functions, business units, and geographies
  • Provide details on stored data at the target, client and server levels
  • Provide audit reporting for any time in the history of your operations

If you’re preparing your backup environment to be GDPR compliant, we encourage you to schedule time for a personal demo of the Bocada’s data protection reporting and monitoring capabilities. When tested in your native backup environment, you’ll see right away how much time you’ll save staying on top of GDPR compliance activities.