What is GDPR?
GDPR is a legal framework that applies to all members of the EU and EAA and ensures stringent guidelines for the collection and processing of personal information.
Since the introduction of GDPR (The General Data Protection Regulations), back in May 2018, there have been instances where businesses of all sizes have failed to meet the guidelines and have consequently been prosecuted.
The greatest fine a business can face is around £18 million, or 4% of annual global turnover, whichever is larger. So, it is understandable that businesses are investing money into ensuring their compliance.
What is a Disaster Recovery Plan?
A Disaster Recovery Plan is a documented approach that explains how a business can return to normal following an unplanned incident. This document applies to the aspects of the company that depend on fully functioning IT infrastructure and aims to resolve data loss and return system functionality.
How does having a Disaster Recovery Plan enhance GDPR compliance?
Whilst the guidelines do not specifically dictate that businesses are required to have a disaster recovery plan in place, it does request the following in article 32 of the GDPR act:
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
This, in plain language, means that through GDPR, organisations will be held accountable for their ability to recover lost personal data in a timely manner.
The answer to achieving this, is, of course, having a Disaster Recovery plan in place.
However, simply having your Disaster Recovery Plan in place does not ensure you are protected. You must ensure that any testing that is completed is documented and that the testing in question challenges the effectiveness of your chosen solution.
GDPR has given Disaster Recovery testing a new level of importance and you should ensure that whoever your IT provider is, that they are competent and knowledgeable enough to manage this in a secure and effective manner.
What else can happen if I don’t have a Disaster Recovery Plan?
Aside from the GDPR complications that are possible without a Disaster Recovery plan, there are of course, additional reasons that organisations choose to put such a document in place.
Downtime costs – Whether your infrastructure is down for 10 minutes or a day, any moment your business is not working, it is losing money. If your leadership team do not have a plan in place, the cost of the disaster will likely be significantly more.
Trust becomes an issue – If you suffer a data loss, your clients are going to want to know when the business will resume as normal, and most importantly, where their valuable data has gone. If you have a well-equipped Disaster Recovery plan in place, customers are more inclined to trust you as their provider and understand that you are in good footing to resolve the issue quickly.
Operational issues arise – Should you not have a valid Disaster Recovery plan in place, and you encounter an issue, almost every area of your business risks being affected. Even departments you would least expect to be impacted could end up seeing serious consequences of the incident.
What to do if you don’t have a Disaster Recovery Plan in place
Reach out to a respected and knowledgeable IT consultancy such as ourselves and begin the process of having a GDPR compliant Disaster Recovery plan put in place for your organisation.