OwnBackup for GDPR


Prepare Your SaaS Data Backup Strategy for GDPR


The General Data Protection Regulation (GDPR) is the biggest shakeup of data protection laws in nearly 25 years. For the uninitiated, GDPR is designed to give EU individuals better control over how their personal data is collected, processed, and stored. It also significantly improves the transparency organizations must provide on how that data is being managed.

GDPR, while approved in April 2016, becomes legally enforceable on May 25, 2018. It applies to everyone involved in the processing of data about individuals in the European Union (EU), regardless of whether the organization is located within the EU. Contrary to popular belief, GDPR is not an unreasonable legal imposition, rather it is an important right for EU Individuals as well as an opportunity for organizations to deepen their commitment to data privacy and protection of all personal data.


While OwnBackup will be fully compliant by May 25, 2018, we thought we’d share our approach as it pertains to the SaaS backup and recovery space and how we empower our customers as well as support the critical rights of EU citizens.




OwnBackup Data Protection Solution for GDPR

In GDPR context, our customers are defined as Data Controllers and OwnBackup is defined a Data Processor. Therefore, OwnBackup is prepared to assist our customers in their response to requests for exercising their Data Subjects’ rights.

As a Data Processor in the cloud backup and recovery space, OwnBackup has deeply considered relevant and appropriate support of its customers when Data Subjects exercise their Data Privacy Rights. The OwnBackup GDPR Data Protection solution focuses on four key capabilities: 





Common GDPR and SaaS Backup Questions Our Customers Ask


As a Data Controller, what do I need to be asking my SaaS backup Data Processors before GDPR enforcement begins May 25th?


When third parties process data on your behalf, you’re obligated to ensure they have sufficient guarantees and technical measures in place to protect the rights of the Data Subject. Consider the following areas when engaging third parties:

  • How are your vendors meeting the necessary standards for data security and privacy? This includes both contractual and regulatory obligations.
  • Are your vendors able to demonstrate robust privacy, data protection, and other security practices around their network and infrastructure?
  • How are your vendors able to support a culture of privacy by design?
  • How do your vendors help you manage your obligations as a Data Controller?



Should US and Non-European companies be concerned about GDPR?


Yes! If you are capturing and storing personal data of European Data Subjects, you must to pay attention to GDPR. Whether that data is stored in the EU or not, your company will be held liable under the GDPR requirements. In other words, if you offer goods and services to, market to, or process citizens of EU member states, capturing EU Data Subject personal information, you will be impacted by this regulation.



How do I find and access Data Subjects information that may reside in my data backups?


As Data Controllers, you’re responsible for maintaining an inventory of personal data, including the data in your archives. This can be one of the more difficult obligations of a Data Controller, particularly because you must not only furnish your Data Subject(s) with details of how their data is handled, shared, and used, but also provide notification without undue delay. Data Controllers using OwnBackup will be able to perform global personal data searches across their archives, identifying the region and attachments in which the Personal Data resides. This will be possible on-demand and within minutes.



As a Data Controller, how long do I need to keep backups for?


When you consider determining your retention period, you need to account for what category of data you have captured, your legal right to maintain it, and any regulations that would impact the retention of this data. As a Data Controller, based on your business’ risk tolerance, privacy impact assessment, and compliance obligation(s), you can decide whether it’s appropriate to retain data, for example, for 6 months or for 6 years. OwnBackup supports custom retention policies to match the length of period you need without compromising your ability to meet your regulatory data retention strategies.



As the regulatory body that will enforce GDPR, how has the Information Commissioner's Office (ICO) defined "privacy by design"?


“Privacy by design” requires that privacy and data protection controls are the common thread that has been weaved into each aspect of your technology stack from code development, to product features, to the risks of how you process data and retain data. How well these factors tie together determine your compliance with the rights and freedoms afforded EU individuals under GDPR.



OwnBackup GDPR Resources

Webinar: GDPR Right to be Forgotten - Compliance for your Backups

Register for the Webinar

Blog Post: GDPR Subject Access Requests: Can You Respond?

Read the Blog



Have more GDPR questions?

Contact us to find out how OwnBackup can help you keep your data, backups, and attachments compliant with GDPR.

Every organization’s approach is different and depends on many factors, including the type of data, the regulatory environment you operate within, and your current privacy and security capabilities. Our aim is to provide helpful guidance, but not legal advice.