In my recent blogs on the subject of preparing your law firm for GDPR, I have talked about the importance of understanding your data, securing your information systems from internal threats with appropriate access control measures and protecting your firm’s confidential data against cyber security threats.
In today’s article I wanted to talk about the importance of data backup in your preparations for GDPR. Since GDPR places accountability on law firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely, data backup forms an important component in demonstrating that your firm is taking due care of the personal data which is entrusted to it.
Aside from GDPR, backups form a key component in the day-to-day running of any IT system, and there are a variety of technologies available including backups to the cloud, backups to removable media and real-time replication to other servers.
It is important to realise that different types of backups are useful in different scenarios, and so more than one type may need to be employed to give you full resilience. For example, cloud backups are a useful way of keeping a copy of your data offsite, which provides for extra protection in the event of a disaster on your premises, which might wipe out locally held backups as well as the live servers. On the other hand, removable media provides a very useful form of backup as it is held off-line and therefore can’t be attacked by cyber security threats such as ransomware. Offline backups can also be useful to facilitate fast restoration, since you do not need to pull the data back over the Internet.
Real-time replication to another server works well when no downtime can be tolerated, but bear in mind if a corruption or accidental deletion of a file occurs, that this will be replicated in real-time to the backup server too.
So there are a number of considerations to any firm’s backup strategy and it may well be appropriate to employ different solutions for different applications or servers.
Full disaster recovery is also an important consideration under GDPR, since if your solicitors’ practice is unlucky enough to suffer a full system failure, be that through a cyber attack like the recent WannaCry ransomware attack, or due to more mundane reasons such as a hardware failure, fire or flood, you need to be able to demonstrate that you have suitably protected the personal data that you store and can recover it successfully.
The first consideration here is for how long your firm could manage without each of its various IT systems and data repositories? This is likely to vary from system to system: for example, you may be able to tolerate no downtime on your email server, but it may be acceptable for an archived cases folder to be restored within 72 hours. So your plan needs to consider each system/data repository you use and assess how long you could manage without it.
The second consideration is around data loss. Again for each system and data repository you need to be clear how much data loss, if any, would be acceptable and tailor your disaster recovery systems accordingly. If no data loss is acceptable, then a real-time replication solution should be considered. Whilst if some data loss is acceptable in a disaster scenario, then you may be able to live with backups that run daily or hourly.
Finally, never underestimate the importance of having an up-to-date, written disaster recovery plan and having tested it on a regular basis.
Should this article have raised questions or concerns around your firm’s current backup and disaster recovery arrangements, please do not hesitate to contact me on (01494) 444065 or mobile 07894-269600 or email firstname.lastname@example.org, for a no obligation discussion around ways Epoq IT can help, which include a full range of backup and disaster recovery solutions, tailored around your firm’s specific needs in regards to recovery times and data loss, and based on an affordable monthly subscription.