Data protection strategies and privacy regulations: Backup vs. archive

Data archiving and backup processes are converging — and that may not be a good thing. The two functions can complement each other, but both provide separate and distinctive functions. It’s beneficial to understand them as separate processes as both are key requirements for data protection and must be applied appropriately and managed to be effective, especially with current privacy regulations. We mustn’t overshadow one or the other by merging the two as one process, or thinking it’s a case of backup vs. archive. For a long time, backups and archives have been a means for businesses to manage electronic data with an emphasis more recently on e-discovery purposes for archives. With the vast uptake of cloud services and enforcement of data privacy regulations like GDPR and the CCPA, this area is still very relevant. Data continues to grow exponentially; it’s collected, stored, managed, and shared. Businesses need to protect it and be able to fulfill their compliance and legislative responsibilities — like the right to be forgotten, among others, when using backup and archive processes.

Data: A business’s lifeblood

Growing cybercrime, new and old regulations, the cloud, and business continuity pressures are all certain aspects of current everyday business. How we run our businesses, design our processes and align our governance and security to meet our business and compliance goals and ensure business success, requires substantial consideration into these areas.

Data is the lifeblood of the majority of businesses. Cyberattacks and data loss, which includes the inability to access or retrieve data, as well as data compromise, have the potential to bring a business to a standstill through legal, reputational, and financial impacts. So, the ability to securely store, recover, search, access, and delete data is critical to any business’s continued success.

Data backup and archive solutions form a primary part of this. Knowing the best ways to implement these processes is crucial to help manage and alleviate data concerns and protect businesses’ (and people’s) data effectively. Additionally, to get it right, we need to understand what, when, why, and how we should be storing, accessing, and using data. This is particularly important when considering the GDPR and CCPA.

Although both backup and archive processes fall under the umbrella of data storage solutions, they have different functions and purposes. They need to be used appropriately to achieve the best results. When considering solutions, you need to ensure that they provide practical functionality, especially to meet changing practices in the workplace and regulations, and to do this an understanding of what is needed, what is most appropriate for the operations, and security requirements must be determined.

Comprehensive data storage technologies exist with different advantages and features. They are easily confused, especially those for backup and archiving. Understanding how these differences can highlight why and when each is needed.

Recognizing their differences and importance

Shutterstock

Put simply, data backups function to restore and data archives function to retrieve. When we use these tools with these purposes in mind, they function as they should and effectively. They are fit for purpose! They can complement each other very well, but should never replace one another.

Data archiving has nothing to do with disaster recovery, and backups should not replace archiving functions. Both are essential to mitigate legal, regulatory, and further risks. Data archiving is a discovery tool rather than a storage tool. It indexes data and has search and tracking capabilities.

Some businesses still rely on a backup as a substitute for an archive. It is not practical to search and retrieve data from a backup that has a purpose to restore, although it may be possible. It uses up resources unnecessarily, takes far too long and is very costly. Furthermore, regulations do not allow unlimited amounts of time to respond to data requests or lawsuits.

Backup vs. archive

Generally, businesses back up their servers, data repositories, and other systems. The data stored in a backup is a copy of the current and active operational data in use. Businesses, in the past (many still do) back up onto physical tapes and drives which are then stored off-premise. Many businesses utilize cloud backup solutions for increased ease of storing and managing data.

Backups are to restore an entire system (OS and data) in the event of an incident or disaster. So, the data stored in a backup usually covers a shorter period, compared to that of an archive and it is updated more frequently.

Archived data, on the other hand, is kept for the long term — many years. The data is usually used infrequently and does not change often. However, archived data is readily searchable and accessible on demand.

The purpose of an archive is to retrieve data. Its primary function is not to store data (even if it’s used as a space-saver). It is not used to restore systems to the latest version but provides access to data (long-term storage) for historical, compliance, and legal purposes.

Archiving is essential for multiple reasons. Including maintaining resources, performance, and scalability. Also, to effectively manage and maintain data for the long term and to observe compliance and governance of regulation and policies.

Backup vs. archive: Key differences

Backup

Archive

Restore to a previous point in time Index, search, and retrieve
Disaster recovery Respond and report
A workable, most current version of operational data Manage corporate knowledge and historical data for the long term (not for operational data)
Reduce downtime and repercussions that otherwise result in an interrupted or halted business function Provides access to data for permanent records, legal, documents, and correspondence
Shorten recovery time and improve recoverability after a disaster incident E-discovery
Unify content, manage a variety of data sources and data types
Analysis and audit capabilities
Retention policies
Regulation and compliance

Relevance to data privacy and protection

Backup

Data is spread across multiple environments and components and can be challenging to manage and track without proper planning and solutions.

Data protection regulations have added some complications to backups and archives. For example, when observing the right to be forgotten or right to erasure. Businesses need to locate and delete personal information when requested to do so. If this data is backed up, it needs to be discovered and removed promptly. Hence, the importance of knowing what data is being backed up and archived.

If traditional backup methods are used (tape backups), this is particularly challenging and impractical. However, encryption can be useful. By encrypting personal information with an individual key (before it is backed up), an exclusive data subject’s data can be deleted by deleting the encryption key, no matter where the data is stored — on tape or in the cloud.

Data subjects need to be assured that if a backup containing personal data is restored to systems for recovery purposes that their data is deleted.

So, by encrypting the data first, when it needs to be deleted, the encryption key can be deleted instead of locating the data — hence destroying all the data linked to that particular key (cryptographic erasure).

Alternatively, be particular about the data that you back up and avoid backing up personal data, instead archive it. Archived data is more easily managed and searchable. Only backup nonpersonal information that is needed to restore your systems.

Make sure that your backups are secure, and the data is protected, and access to it controlled.

Archive

Before firmer data protection regimes, data archives were easily neglected and not paid due attention. The type of data archived, how long it was held for, how or by whom it was accessed, or the efficiency of retrieval or accuracy and reliability of the data may not have been suitably considered. Data may have been archived without any intention of needing it. With growing costs, possibly, the only limiting parameter to data archiving. Data were archived, held on to, for “just in case,” perhaps for one day, if it was needed. We all have a drawer or box (or two) in our homes with a similar purpose — where we keep random bits and bobs for one day (a day that never arrives) — for if we need it!

With the enforcement of regulations like GDPR and CCPA, a business’s approach to data archiving had to change to comply with advances in regulation and to meet data controller and processor responsibilities to observe the rights of data subjects and consumers.

So, data archiving can no longer be an afterthought and left to chance, but needs to be a well thought out, structured process that is maintained and meticulously followed. We can no longer use the ‘chuck it in the drawer for later approach’.

Businesses must:

  • Know where the data is and where it is transferred to.
  • Know the type of data stored.
  • Have a data retention policy.
  • Maintain data’s completeness and accuracy.
  • Control the access to data.
  • Only keep data that is legally allowed, and only for the time that it is needed.
  • Have a secure way to process data.
  • Have a secure means to transfer it.
  • Have the means to stop processing, delete or securely remove it (right to be forgotten).
  • Have a way to discover and retrieve data to address privacy rights.
  • Maintain its security and privacy.
  • Provide personal data on demand.
  • Maintain records of data processing activities.

Active archiving is critical to enabling businesses to observe privacy rights and comply with privacy regulations. This is facilitated by effective data archiving technologies. So, data can be adequately secured, managed, maintained, tracked and securely accessed and searched.

To merge or not to merge … that is the question!

A loss of personal information or personal information not being accessible is a breach of the GDPR. Processes, operations, including critical public functions, rely on data being continuously available or accessible to those authorized to access it. The dependence on accurate, accessible and reliable information is vital and without can have potentially devastating consequences. So, data loss or interruption effects can not only impact an organization but depending on the processes or operations the data is used for (health care, utilities, and so forth) — can severely impact the wider public.

Without data backups, disaster recovery cannot happen! Data backups make it possible to return systems to the state before an incident occurred; to recover the information that is lost. Without data archives, data discovery and retrieval functions are complicated and observing regulatory responsibilities more challenging.

Progress has been made to evolve technologies, to bring together backups and archives. However, it’s crucial to ensure you still achieve the equivalent functions as you would with two individual solutions. Each technology has a specific purpose, and each goal must be met to properly secure and manage the data and meet regulatory and compliance obligations efficiently.

The two technologies should complement each other so that you can protect against interim loss of data (through backups) and adequately manage and maintain long-term essential data types and content, ensuring data is readily accessible and searchable.

Featured image: Pixabay

Monique Magalhaes

Monique Magalhaes is a DP Executive and facilitator of data protection and information governance at Galaxkey, a company specialising in data protection and security solutions. She is a researcher, writer, and author of technology and security.

Share
Published by
Monique Magalhaes

Recent Posts

Hardware RAID vs. software RAID: Pros and cons for each

RAID is a technique to virtualize independent disks into arrays for improved performance. Should you…

3 days ago

After the plague: What IT will look like in a post-COVID-19 world

COVID-19 has changed everything, but once it disappears, we will not go back to how…

3 days ago

Solved: Outlook defaults to Microsoft 365 version with Exchange server

An Exchange server with a hybrid connection to Microsoft 365 is usually pretty seamless —…

4 days ago

How chatbots are changing the way teams communicate internally

Chatots are primarily thought of as consumer-facing solutions. They bring life to customer interactions by…

4 days ago

Hakbit ransomware campaign targeting specific European countries

The newly uncovered Hakbit ransomware campaign spread via spear-phishing emails may indicate a shift in…

4 days ago

Credential stuffing: Everything you need to know to avoid being a victim

Credential stuffing is yet another weapon being used by cybercriminals. Here’s what credential stuffing is…

5 days ago