In my recent blogs on the subject of preparing your pharmaceutical business for GDPR, I have talked about the importance of understanding your data, protecting your data from insider threats and cyber security considerations.
In today's article I wanted to talk about the importance of data backup in your preparations for GDPR. Since GDPR places accountability on businesses to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely, data backup forms an important component in demonstrating that your organisation is taking due care of the personal data which is entrusted to it.
Aside from GDPR, backups are a key component in the day-to-day running of any IT system, and as such also form an important part of MHRA compliance and HIPAA compliance, as well as coming under scrutiny in audits which many of the large pharma companies are now undertaking on their supply chain.
There are a variety of technologies available including backups to the cloud, backups to removable media and real-time replication to other servers. It is important to realise that different types of backups are useful in different scenarios, and so more than one type may need to be employed to give you full resilience. For example, cloud backups are a useful way of keeping a copy of your data offsite, which provides for extra protection in the event of a disaster on your premises, which might wipe out locally held backups as well as the live servers. On the other hand, removable media provides a very useful form of backup as it is held off-line and therefore can't be attacked by cyber security threats such as ransomware. Offline backups can also be useful to facilitate fast restoration, since you do not need to pull the data back over the Internet.
Real-time replication to another server works well when no downtime can be tolerated, but bear in mind if a corruption or accidental deletion of a file occurs, that this will be replicated in real-time to the backup server too.
So there are a number of considerations to any company’s backup strategy and it may well be appropriate to employ different solutions for different applications or servers.
Full disaster recovery is also an important consideration under GDPR, since if your business is unlucky enough to suffer a full system failure, be that through a cyber attack like the recent WannaCry ransomware attack, or due to more mundane reasons such as a hardware failure, fire or flood, you need to be able to demonstrate that you have suitably protected the personal data that you store and can recover it successfully.
The first consideration here is for how long your company could manage without each of its various IT systems and data repositories? This is likely to vary from system to system: for example, you may be able to tolerate no downtime on your email server, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your plan needs to consider each system/data repository you use and assess how long you could manage without it.
The second consideration is around data loss. Again for each system and data repository you need to be clear how much data loss, if any, would be acceptable and tailor your disaster recovery systems accordingly. If no data loss is acceptable, then a real-time replication solution should be considered. If some data loss is acceptable in a disaster scenario, then backups that run daily or hourly may be acceptable.
Finally, never underestimate the importance of having an up-to-date, written disaster recovery plan and having tested it on a regular basis, which is something I discussed in more detail in this blog.
Should this article have raised questions or concerns around your business’ current backup and disaster recovery arrangements, please do not hesitate to contact me on (01494) 444065 or email gswanwick@epoq-it.co.uk, for a no obligation discussion around ways Epoq IT can help, which include a full range of backup and disaster recovery solutions, tailored around your company’s specific needs in regards to recovery times and data loss, and based on an affordable monthly subscription.
More information about our company and our range of products and services is also available at our website:-
IT Support for Pharmaceuticals
MySecurity - expert security management of all your systems for an affordable monthly fee
MyRecovery – fully managed backup and disaster recovery tailored to your firm’s needs
MyCIO - consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security.
