The Big Backup Myth

Improved data management and use of structured records provide a better solution to data issues than relying on back ups

By Tom Bale, Business Development and Technical Director, Logicalis

There is more data out there than ever before. In 2012 IBM estimated we generate over 2.5 billion gigabytes of data a day – a figure that could go up to 163 zettabytes (163 trillion gigabytes) of data a year by 2025. And we’re creating data at a faster rate – one that will only increase as our use of Internet of Things (IoT) devices grows.

Retaining and managing data is becoming an increasingly significant issue for businesses around the world – and the Channel Islands are no exception.

With data storage and access a key part of new EU General Data Protection Regulations (GDPR) taking effect this month, it’s important to ensure your information management systems are set up correctly for this now, to avoid problems further ahead.

Data backup and data archive are often discussed together, but they’re intended for very different purposes and should be used for different functions.

If an archive is for discovery then backup is for recovery. If you refer to or expect to use a backup as a form of archive then you must ensure that it is searchable and available and that you have the ability to amend, redact and remove data from the data set if required. These properties are not inherent in backup technology and cannot therefore fulfil that requirement. 

A backup is a copy of your live environment for recovery purposes and it is in your live environment that one should hold any data archive or records that need retention for contractual or legal purposes.

While this is the essence of the difference, there are many others.  A backup is a straightforward copy of current and active data, that sits on your servers. In most cases, archiving indexes and relocates data to a long term (less expensive) storage location.

With backups, it’s important to be able to recover and restore records quickly to limit operational impact – for example if someone accidentally deletes files, or if they’re compromised during a cyber-attack.

Searchability is one of the most important attributes of an archive as they can contain huge amounts of data, created over many years and you need to be able to access specific files efficiently, by setting up structured file plans, metadata and standard file naming conventions.

Archives need to be indexed to help facilitate searches for responding to Subject Access Requests (SARs) under GDPR, where you will need to be able to locate all personally-identifiable information on a data subject, and give it to the subject in one month – something you will also need to do should a data subject invoke the right to erasure and ask you to delete all personally identifiable information about them.

Under GDPR you cannot charge anything other than reasonable admin charges so it also makes financial sense to ensure your archive is set up to reduce the amount of time staff may require complying with requests.

GDPR does not necessarily have an impact on backups. If backed up data is generally inaccessible, and you can show that your backup policy will mean that in time the backup cycle will ensure a subject’s data will be erased, you do not have to redact data from backup media. The key is to remove it from your live set and your archive. Which again means your archive must be easily accessible with the ability to readily search so one can find, amend and delete data as and when required.

As the risks of a data breach through a cyber-attack continue to grow, organisations should be mindful that backups and archives need 24/7 security monitoring to detect, identify, and resolve security breaches as quickly as possible. As with other areas of data, access to backups and archives should be restricted to authorised users with a legitimate need. And, as with general cyber security awareness, training and testing staff to ensure they are aware of risks, and follow correct procedures, is very important.

Whether you’re storing data for short-term recovery as a backup, or retaining it long-term for discovery and compliance, the same principles of good information management should apply.