The EU’s General Data Protection Regulation (the GDPR), which came into force in May 2018, places obligations on Data Protection Officers (DPOs) to protect and encrypt personal data, even in backup/disaster recovery processes.
When the UK exits the EU, the EU GDPR will no longer be law in the UK. However, the government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the “UK GDPR”).
With the GDPR's extended definition of personal data covering information such as online identifiers (eg an IP address), the scope and amount of data you need to include in your backup/disaster recovery run may be substantial. In order to comply with the GDPR regulations, backup and disaster recovery processes need to be reviewed and tested regularly as, even during recovery periods, companies still need to know how and where personal data is stored.
In readiness for exiting the EU, Data Protection Officers should review data flows and identify where data from the UK is transferred to any country outside the UK, as these will fall under new UK transfer and documentation provisions. Furthermore, in order to ensure future compliance with UK GDPR, DPOs should review all data structures, processing operations and data flows.