With GDPR coming into effect on 25 May 2018, it's costing businesses significant time and money to ensure compliance with the new regulations. Rather this than risk a fine of 4% of turnover or \u20ac20million. But when it comes to your IT have you really covered all bases? Have you thought about your disaster recovery and properly assessed whether this is compliant also? It's crucial that you do so as one small slip-up by any one of your data processors could leave you paying the penalties. In 2016 the ICO imposed penalties of \u00a32,155,500 on 21 companies, and fines are increasing year on year.\n\nPlaying it by the rules\n\nThe rules for GDPR are as applicable to your DR systems as they are your production systems, so ensuring they are compliant is critical. Whether you manage your DR in-house or use an external DR provider, there\u2019s a high chance that you\u2019ll need to do things differently. Article 32(1) of the new GDPR regulation states: \u201cTaking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.\n\n(a) the pseudonymisation and encryption of personal data; => Article: 4 (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.\u201d\n\nYou should be able to demonstrate processes around the security, availability, recovery and testing of your IT systems which encompasses disaster recovery. Furthermore these processes need to be of an adequate standard to ensure timely and effective recovery without risk to the confidentiality and integrity of a consumer\u2019s information.\n\n[Related: General Data Protection Regulation (GDPR) requirements, deadlines and facts]\n\nSecurity\n\nSecurity is made up of 3 building blocks\u2013 confidentiality, availability and integrity. ISO27001 provides a comprehensive framework for developing, implementing and maintaining an independently auditable information security management system (ISMS), aligned with GDPR policies. If neither you nor your DR provider is ISO27001 certified then it would be beneficial to do so through a reputable provider such as the BSI. If you are ISO27001 certified but your DR provider isn\u2019t then you are at risk of your certification being null and void, so it\u2019s important to check on the status of your DR provider\u2019s certification.\n\nGDPR comes with more stringent rules around data being transferred outside of the EU so you should verify where your data is being held. If it is being transferred outside of the EU then the conditions of chapter 5 of GDPR need to be met.\n\nA full process around data breaches should be made available by your provider and aligned with yours to ensure there are no holes that could be seen as a vulnerability.\n\nRecovery\n\nIt\u2019s well worth checking your provider\u2019s recovery commitments. There are two performance elements to IT recovery: 1. How long it will take to achieve full return to service, and 2. How much data could be lost during the recovery process. You\u2019ll no doubt have recovery time objectives (RTO\u2019s) and recovery point objective\u2019s (RPO\u2019s) in place, but are there any guarantees or consequences to them should they not be met, or are they merely \u2018hopeful targets\u2019? In order for your recovery to meet GDPR regulations you should demand more certain outcomes such as guarantees from suppliers to ensure you are not at risk.\n\nYou should also review the process of keeping your backup data up to date in order that subjects can access, erase or amend their data. How frequently will your backup data be updated and is this frequently enough to keep you compliant should you need to failover to your DR systems?\n\nTesting\n\nTesting of your DR systems should be documented in order for you to prove that your procedures are in line with compliance. How often are DR tests performed and do these tests merely check that the data has been backed up or do they test the recoverability of systems, applications and data? Daily testing of DR systems to application level with certification will no doubt protect you against all risks and prove compliance, but is this possible through your current supplier or in-house team? Disaster recovery testing is probably the main area for companies to drive harder in terms of compliance.\n\nContract amendments\n\nContractually you should confirm with all DR and backup providers that they are a 'data processor' and seek new contracts from them which state this. Under GDPR rules, anyone obtaining, holding or retrieving data is considered as a \u2018data processor\u2019 and is therefore subject to the compliance. You should also have a data sharing agreement drawn up to confirm how the data can be used along with disclosure policies. This will ensure your DR provider has thought about GDPR.\n\nIf you\u2019re at all worried about GDPR then certification through a reputable body is recommended and will be encouraged to protect yourself against repercussions.