Tuesday, 19 December 2017

Preparing your Pharma company for GDPR – Disaster Recovery Considerations



In my last blog, I talked about the importance of data backup in your preparations for GDPR. Since then a number of you have been in touch with questions, many of which revolved around the wider topic of disaster recovery, so today I thought it would be worth expanding a little on disaster recovery provision, an important topic in relation to both GDPR and MHRA compliance.

GDPR places an obligation on your firm to safeguard the personal data which it holds, and my previous articles in this series have talked about ways to protect your data day-in day-out through effective risk management in relation to cyber security, access control and data backup.

However, with the best planning in the world, sometimes the unexpected does happen. We only have to look at the Wannacry ransomware attack that so devastated parts of the NHS to see the reputational damage and compliance breaches that can be caused by such an eventuality. It is therefore important from both a GDPR and MHRA regulatory perspective to have the appropriate incident response and recovery plans in place to handle such a situation.

The key issues to consider here are:


How Long Would it Take to Recover your Data from your Backup? 

(The Recovery Time Objective or RTO) 

and 

How Much Data Loss, if any, Could Your Business Tolerate? 

(The Recovery Point Objective or RPO) 


The answers to these 2 questions will be fundamental in determining both your backup strategy and your disaster recovery plan.

If you have a recovery time objective of minutes or hours (rather than days) on your critical systems, then you will certainly not have time to source alternative hardware and rebuild servers with operating systems and applications and restore data. In this instance you will need to have the ability to spin up replacement servers on pre-existing hardware, so thought needs to be given as to what and where that hardware is, and whether your backup strategy provides for a complete server backup that can be recovered in this way.

Additionally, if the disaster is such that your offices are incapacitated, or perhaps the emergency services will not allow you access to your premises, then the plan needs to consider where your staff would work from and how they would connect to the recovered IT system.

In terms of the Recovery Point Objective, this is all about data loss, and therefore an important aspect to consider under the GDPR, which obliges you to safeguard the data that you hold. If, for example, you only backup your system once a day, typically overnight, then you could lose up to a day’s work and data in a disaster situation. So you need to consider how you would recreate that day’s data and, if your email server is affected by the disaster, how you would cope with potentially having lost a day’s worth of email correspondence.

There is a huge amount to consider in your disaster recovery planning and in reality the only way that you will know with relative certainty that your disaster recovery plan would work when you need to use it for real, is by testing it regularly. I can’t stress enough how vital testing is to success, as in my experience it almost always reveals deficiencies in the plan, whether these be technical issues, operational issues or revealing that the required RTO or RPO could not be met.

Over the years, I have seen disaster recovery tests that have revealed that backups have not been running successfully, or that they have been running but are not actually restorable, along with backups where certain parts of the system/data have been omitted, and backups that take far longer to restore than expected. Then there are the operational oversights of perhaps the DR plan being stored on the network and hence being inaccessible in a disaster, or the contact details for key personnel, customers or suppliers being unavailable due to the disaster itself which can stop the necessary disaster communications plan being executed as envisaged.

There is plenty of scope for problems, and so testing is vital as it allows such deficiencies to be highlighted before the plan is needed in a live invocation, and the necessary remedial actions to be taken, so that when the plan is used “in anger” there is a much better chance of a smooth, swift recovery taking place.

Many smaller pharma companies who we work with just don’t have the time or technical resources to constantly keep on top of disaster recovery planning and testing, which is what led us to launch our MyRecovery service in 2017. This provides a fully managed backup and disaster recovery service tailored to your business’s needs, encompassing the technologies, testing and operational procedures needed to protect your business and your data. Based on a monthly subscription fee, the service is proving popular with small and medium sized pharma companies as it avoids large capital upfront costs and gives Pharma companies the peace of mind that they have a current, working disaster recovery solution in place with guaranteed recovery times.

I hope that this article has given you some useful insight into the key considerations around disaster recovery planning. If you are concerned that your current disaster recovery plan may not be effective and you would like to arrange for us to carry out an independent review or test of your current disaster recovery plan, or you would like more information about our MyRecovery service, please do not hesitate to contact me on 01494 444065 or email gswanwick@epoq-it.co.uk

_________________________________________________________________________________

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals