Article 32 of the GDPR
Disaster Recovery Plan
Companies should establish a Disaster Recovery Plan to complement the business continuity plan.
A Disaster Recovery Plan complements a business continuity plan
A Disaster Recovery Plan (DRP) is the technical part of a Business Continuity Plan (BCP) and they both go hand in hand. In short, the Business Continuity Plan provides employees with a description of how the company will continue to function in the event of an ongoing crisis.
However, a Disaster Recovery Plan instead describes how the IT infrastructure and processing of personal data should be restored during or after a crisis. In addition, a disaster recovery plan is usually more detailed.
An organisational safety measure
According to Article 32 GDPR, companies must implement appropriate technical and organizational security measures to protect the personal data processed. A Disaster Recovery Plan is an organizational security measure that may be appropriate for many companies to take. Among other things, companies must be able to restore the availability and access to personal data in the event of an incident involving their loss or similar. It’s something that a Disaster Recovery Plan helps businesses do.
What questions does a Disaster Recovery Plan answer?
- Which systems are critical for the company?
- What is the recovery time of the different systems?
- How much data can the company lose?
- How does the company manage backup files and storage?
- What steps should employees take to restore IT systems?
- Who is responsible for doing what in the recovery work?
- How should the company handle communication, internally and externally?
The difference between Recovery Point Objective and Recovery Time Objective
Recovery Time Objective (RTO)
In short, the RTO specifies the maximum time a business-critical process, IT service, application or the like may be out of service after an incident has occurred, before it leads to unacceptable consequences. The main focus in this case is on the time to restore. If the RTO is 3 hours, it means that the system must be restored and operational again no later than 3 hours after the interruption. It is important to keep in mind that the different systems that the company uses may have different recovery times. For example, it can be critical for a healthcare record system to have to be restored within minutes, while an HR system can be down for several hours without having an unacceptable impact on the company. The lower the RTO, the more advanced solutions the company needs to implement.
Recovery Point Objective (RPO)
This measure indicates the amount of data loss, expressed in terms of time counted backwards from the occurrence of the incident, that the company can miss out on at most. The focus in this case is on data tolerance and data loss. For example, if the RPO is 15 minutes, it means that data that has been created or modified no later than 15 minutes before the incident occurs, must be able to be restored.
The key to an effective Disaster Recovery Plan is a good backup strategy
It is important that the company ensures that the settings for backup in the various digital systems are configured in the desired way. In addition, it is good to test whether the backup files are working, can restore files correctly and contains the correct amount of backed up data. If there is an incident involving the loss of data, the company can hopefully recover the files through the backup files.
Step by step instructions for recovery
A Disaster Recovery Plan shall be clear and include practical instructions. For example:
- How to restart the servers.
- How to restore databases from backup.
- The order in which the different systems used by the company are to be reactivated.
- How to re-create applications.
- Verification of logs.
- How network security checks are carried out after an incident has occurred.
Manual for each system
It is good to create a written manual for each system that the company has identified as critical. For example, it is a good idea to include contact details for the supplier of the system in the manual.
Responsibilities and division of roles
In order to handle a crisis as well as possible, it is good to clarify the roles and responsibilities if such a situation arises. For example, which IT technicians are responsible for restoring which systems. By having a clear division of roles and responsibilities, the recovery process is more likely to happen faster. This can help the company meet accessibility requirements.
Communication in case of incidents
Communication within companies is extremely important, especially during a crisis. It is good to clarify how all employees should be informed in the event of a crisis if the regular communication channel does not work. In addition, the company should clarify who is responsible for contacting external parties, such as suppliers, national data protection authority and customers.
Test the plan regularly
The best way to know whether a Disaster Recovery Plan works in practice in the event of a crisis or not is by testing it in practice. In addition, it is an opportunity to find opportunities for improvement in the face of a real crisis. For example, the company should test to restore parts of the system and/or the entire system, train employees through various exercises with real-life scenarios, simulate intrusions that lead to fictitious personal data breaches, etc. Note that it is good to document the tests and measures taken as well as their effectiveness.
Document to prove compliance
A Disaster Recovery Plan should be in writing because companies need to be able to demonstrate that they comply with the GDPR in practice, according to the principle of accountability in Article 5(2) of the GDPR. It’s also good to have supporting documents for a Disaster Recovery Plan. For example, routines for backup, routines for personal data breaches and risk assessments.
Update and improve
GDPR is a continuous process that requires regular updating and improvement. The same applies to Disaster Recovery Plans. The plan should be updated, for example, when the company introduces new systems or as the company grows and receives new needs for action. Auditing and reviewing the plan should be done at least once a year, but for larger companies it should be done more often.
Learn more
Password management is another organizational security measure that may be useful to take
It is good for companies to establish password procedures for employees as an organizational security measure. In other words, define how employees create secure passwords, protect them from unauthorised access, act if there is a suspicion of exposure, etc. In addition, it may be appropriate to have two-step authentication or login via biometric personal data when it comes to systems that process sensitive personal data.