Backup Tape Management for GDPR Compliance

And what about your legacy backup data? Data initially used for disaster recovery but now is an archive of all your long-term retention data?

The easiest approach would be to profile the backup data once it is no longer used for disaster recovery, determine what is required for long-term retention, and migrate this content out of backup and into a policy based archive. Once this is accomplished the backup data can be purged.

By eliminating the practice of saving old backup data, specifically backup tapes, companies eliminate the need to manage - and go to – these repositories in the future. By leveraging the GDPR to clean up and remediate legacy tapes, offsite tape costs and ad-hoc eDiscovery costs can be recouped.

Index Engines’ unified information management platform delivers unique technology to support the migration of legacy tape data from tape to disk/cloud. Finding the data that has value, and selectively migrating this content makes for cost effective management of these records. The polices that are defined to support GDPR on the network data content, can easily be applied to legacy tape data in order to streamline the migration.

Index Engines's Workflow vs. Traditional Tape Restoration

IE Workflow

Traditional workflow

Some argue that since tape isn't specifically mentioned, the GDPR doesn't extend to backup tapes, but the regulation discusses processing of citizens data, which they define as follows:

"any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"

Thinking about backup data, this would be included in the above definition. This includes legacy content potentially stored in offsite storage vaults.

The regulation also states that personal data should not be retained outside of its business usefulness, as follows:

"Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research"

Again thinking about backup data, in the spirt of the above statement organizations should not be archiving all this data for long term retention as it is not in the public interest. Additionally, archiving personal data using proprietary backup formats makes conforming with the regulation complex.