The EU’s General Data Protection Regulation (the GDPR), which comes into force in May 2018, places obligations on Data Protection Officers (DPOs) to protect and encrypt personal data, even in backup/disaster recovery processes.
The decision to leave the EU will not affect the commencement of the GDPR so companies should already be extending and testing their backup/disaster recovery procedures now to ensure they will be compliant.
With the GDPR's extended definition of personal data covering information such as online identifiers (eg an IP address), the scope and amount of data you may need to include in your backup/disaster recovery run in the future could be substantial. In order to comply with the GDPR regulations, backup and disaster recovery processes need to be reviewed and tested as, even during recovery periods, companies still need to know how and where personal data is stored.
Although the Government's regulatory approach to data security post-Brexit is unknown at the moment, these regulations will still impact on any business, whether based in the EU or not, that holds the personal data of EU citizens.