28th August 2017

How Virtual1 & Acronis can help your customers prepare for GDPR

Guest Blog written by Guennadi Moukine at Acronis

The European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, and it’s going to affect every business operating in the EU or dealing with EU customers. The new regulation replaces the outdated European Data Protection Directive that was adopted in 1995 and is designed to harmonize data privacy laws across the EU member states, protecting EU citizens’ personal data.

Our BackupCloud Partners, Acronis is currently preparing an official statement to announce full GDPR compliance — both as a company dealing with EU customers and as our vendor partner, providing data protection technology to other businesses operating in the EU space. The announcement will be accompanied by a new set of tools that will enable our partners and their end customers to flag, log, store, and delete data in accordance with the new regulations.

Key terms and definitions

Before we take a closer look at what the new regulations entail and how we can help your business to become GDPR compliant, let’s review some key terms and definitions used in the new directive. At this stage it’s also appropriate to point out that this blog post does not constitute a legal advice and is intended, and should be used, for general information purposes only.

  • Controller — “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” This is you, the business operating in the EU or dealing with EU customers.
  • Processor — “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This is your cloud storage provider and/or data protection vendor such as Acronis.
  • Personal data — “any information relating to an identified or identifiable natural person.” This is the focal point and the reason for the entire GDPR.
  • Data subject — the person identifiable by the personal data. These are the people who may ask you to reveal, edit or delete the personal information that you store about them on your servers. You will have to answer every request in a timely manner or risk hefty fines.
  • Right to be forgotten —data subjects have “the right to have his or her personal data erased and no longer processed.” People may request that you delete all their personal data stored on your servers. At this stage, it is not clear if the right to be forgotten also means removing data from backups, because certain types of storage media, for example, tapes, do not allow deleting bits of data without destroying the entire backup. Your business may also be subject to certain backup retention policies for archiving and legal purposes.
  • Personal data breach — “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” You will have to report data breach incidents to “the supervisory authority” within 72 hours after becoming aware of it.
  • Service contract — a service agreement between controller and processor.
  • Data Protection Officer (DPO) — a new position in your company who will be responsible for all issues related to the protection of personal data.

Key requirements of GDPR

The GDPR requires any business operating in the EU or foreign business dealing with EU customers to store and process all personal data within the European borders (unless there is an explicit permission from the data subject to keep his or her data outside the EU).

Personal data can only be kept for as long as it is required for the initial purpose and must be protected in accordance with the new rules. Both the controller and the processor are required to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,”including data encryption and pseudonymisation (“the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”)

The GDPR also calls for a comprehensive reporting mechanism to help the controller identify personal data stored on their servers and also confirm its storage location, encryption or deletion when requested. There must also be an easy way for an external auditor to verify your reports.

Dealing with your cloud storage and data protection vendor

The GDPR impose new security and contractual requirements on organizations (controllers) dealing with cloud service providers and data protection vendors such as Virtual1 & Acronis (processors).

The relationship between controllers and processors can be summarised by the following points:

  • Cloud service providers have to offer sufficient guarantee that the service meets technical and organizational requirements of the new regulation.
  • Service contracts between the controller and the processor prohibit the use of subcontractors without the consent of the controller.
  • On termination of the service contract, all data must be removed from the cloud and the processor must provide sufficient proof that it has been done.
  • Controllers have a duty to report data breach incidents to the regulatory body.

How can Virtual1 help your company to become GDPR compliant?

Working closely with Acronis, Virtual1 will enable our partners and end customers with the appropriate tools to flag data that needs to be compliant. We will also provide tools that log EU citizen data storage and deletion actions. Partners and customers will have the responsibility to appropriately flag the data and use the new tools for reporting and management.

Virtaul1 partners and customers will have to handle the rest of compliance since Virtual1 doesn’t have visibility into the data itself. All data will be forced to be encrypted and neither Virtual1 nor Acronis hold the encryption keys. But you will be able to use the new tools to report whether the personal data is still stored or deleted.

The new tools will complement the exsiting functionality, which is already perfectly suited for your GDPR compliance:

  • Control of data storage location. Acronis data protection solutions are built on top of the Acronis hybrid cloud architecture which allows you to control where your data is stored. On-premises or in a specific European-based datacentre, you have the final say in what to do with the protected data.
  • Data encryption. Acronis offers strong data encryption on-device, in transit and in the cloud. The entire process is automated, and the user holds the key, meeting GDPR data security requirements.
  • Ability to search data inside backups. BackupCloud allows the drill down through backups, making it easy for users to find the required information.
  • Ability to modify personal data. BackupCloud offers an easy way to modify personal data if and when requested by data subjects.
  • Data export in a common format. Acronis technology allows data export in a common and easily usable format (e.g., ZIP archive) to meet the GDPR data portability requirements.
  • Quick data recovery. BackupCloud, powered by Acronis has the world’s fastest data recovery technology. Things like Acronis Instant Restore™ allows users to achieve RTOs of 15 seconds or less by starting your Windows or Linux backup directly from storage as a VMware or Hyper-V VM; no data movement required.
  • Active protection against ransomware. Taking preventative measures is easier and more cost effective than going through with mandatory reporting of every data breach incident. Acronis Active Protection™ detects and blocks ransomware attacks and instantly restores any affected data.
  • Blockchain-based data certification. With the help of Acronis Notary™, protected data can be easily certified with the help of blockchain-based technology to provide immutable proof of data integrity.