The impact of GDPR on backup and archive storage

GDPR is still dominating conversations, and although we have moved beyond what GDPR is and to how to be compliant, there are still many questions on the horizon. Organisations are looking to see how the IT industry will be impacted and what the future of data storage will look like in the face of growing security and compliance regulations.

Faced with the threat of fines – up to 4% of their global annual revenue, or €20 million – for non-compliance, CIOs will need to ensure data security and protection is at the forefront of their agenda.

Article 17

One of the major talking points around GDPR is the implementation of article 17, which provides each individual with the ‘right to be forgotten’. Organisations are storing and retaining more information each day, and as the digital age continues to evolve, it is easier for companies to capture increasing amounts of data that can help to drive business insight.  Companies are continuously storing data that can provide invaluable insights into customer behaviour and trends. GDPR aims to promote transparency so that consumers will know how their data is being used by these organisations, as well as where it is stored.

Under the new article, each individual has the right to understand what data is held on them, and if asked, organisations must be able to delete any information requested – providing them with the ‘right to be forgotten’. While in theory this may seem simple, for some organisations, especially larger global enterprises that store vast volumes of data, it can be a challenge to locate and remove old information.

One of the major problems around this is that organisations tend to have data stored in multiple places or across backup servers. In this regard, traditional backup can be exceptionally challenging to access and navigate. Designed to provide recovery when data is lost, access outside of this time can be limited by constraints in the technology – for example, finding individual files is a painstaking and near impossible process. Organisations will most likely need to delete entire records held on one file rather than pulling out small specific datasets, which isn’t a sustainable method of data storage and most likely breaks other GDPR requirements in the process.

With GDPR being a hot topic, organisations that want to continue utilising the benefits of data storage and backup need to look for alternative methods outside of traditional backup. Businesses do not need to sacrifice the benefits they already receive to remain compliant. With archive as an alternative method, businesses can continue to store and retain data, while having peace of mind that it is easily accessible and can be deleted.

By nature, archives provide an index into a company’s history, which is designed to be accessed for future reference. On top of this some archiving platforms provide unique fingerprinting of the individual file, which means that should there be a request to remove information these files can be quickly identified, located and removed accordingly.

Furthermore, archive systems can provide documented evidence of file removal, should proof be required. Archiving solutions that offer this level of serialisation also provide an added layer of security as it becomes obvious which files have been changed or are missing.

Many organisations implement backup as a way to ensure business continuity in the event of a breach or data loss. This is still fundamentally important, but under the new regulation, as a longer term solution, organisations should implement archive. This can offer the same, if not improved, levels of data protection and business continuity, but with added measures to ensure compliance.

The advent of GDPR does not mean organisations can’t still take advantage of the benefits that data can bring. Data for many is the lifeblood of the organisation, and with the correct storage and architecture in place that supports GDPR, businesses can still keep lucrative data. Although the shift in the market is inevitable, and in some cases we are still waiting to see what the year will bring, the re-emergence of archive over backup is already starting to be seen by forward thinking organisations.


By Gary Watson, Co-founder and CTO, Nexsan

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.