Common GDPR and SaaS Backup Questions

    As a Data Controller, what do I need to be asking my SaaS backup Data Processors?

    When third parties process data on your behalf, you’re obligated to ensure they have sufficient guarantees and technical measures in place to protect the rights of the Data Subject. Consider the following areas when engaging third parties:

    • How are your vendors meeting the necessary standards for data security and privacy? This includes both contractual and regulatory obligations.
    • Are your vendors able to demonstrate robust privacy, data protection, and other security practices around their network and infrastructure?
    • How are your vendors able to support a culture of privacy by design?
    • How do your vendors help you manage your obligations as a Data Controller?

    Should US and Non-European companies be concerned about GDPR?

    Yes! If you are capturing and storing personal data of European Data Subjects, you must pay attention to GDPR. Whether that data is stored in the EU or not, your company will be held liable under the GDPR requirements. In other words, if you offer goods and services to, market to, or process citizens of EU member states, capturing EU Data Subject personal information, you will be impacted by this regulation.

    How do I find and access Data Subjects information that may reside in my data backups?

    As Data Controllers, you’re responsible for maintaining an inventory of personal data, including the data in your archives. This can be one of the more difficult obligations of a Data Controller, particularly because you must not only furnish your Data Subject(s) with details of how their data is handled, shared, and used, but also provide notification without undue delay. Data Controllers using our application can perform global personal data searches across their backups, identifying the region and attachments in which the Personal Data resides. This is possible on-demand and within minutes.

    As a Data Controller, how long do I need to keep backups for?

    When you consider determining your retention period, you need to account for what category of data you have captured, your legal right to maintain it, and any regulations that would impact the retention of this data. As a Data Controller, based on your business’ risk tolerance, privacy impact assessment, and compliance obligation(s), you can decide whether it’s appropriate to retain data, for example, for 6 months or for 6 years. We support custom retention policies to match the length of period you need without compromising your ability to meet your regulatory data retention strategies.

    As the regulatory body that will enforce GDPR, how has the Information Commissioner's Office (ICO) defined "privacy by design"?

    “Privacy by design” requires that privacy and data protection controls are the common thread that has been weaved into each aspect of your technology stack from code development, to product features, to the risks of how you process data and retain data. How well these factors tie together determine your compliance with the rights and freedoms afforded EU individuals under GDPR.

    « Previous ArticleNext Article »

    Contact Us

    Sometimes you just want to talk to someone. Our customer support team is available by phone:
    Request a Technical Support Call Back