4.7 Backup and restoration Your business has established a process to routinely back-up electronic information to help restore information in the event of disaster. Your business ensures protection against the loss of personal data. Not yet implemented or planned Partially implemented or planned Successfully implemented Not applicable You should take regular back-ups to help restore personal data in the event of disaster or hardware failure. The extent and frequency of back-ups should reflect the sensitivity and confidentiality of the personal data and its criticality to the continued operation of the business. Ideally, you should keep back-ups in a secure location away from the business premises and regularly test the restoration of personal data to check the effectiveness of the back-up process.
Areas for focus and suggested actions You should take regular back-ups to help restore personal data in the event of disaster or hardware failure. The extent and frequency of back-ups should reflect the sensitivity and confidentiality of the personal data, and its criticality to the continued operation of the business. You should: •
Establish a process to routinely back-up electronic information to help restore information in the event of disaster.
•
Ensure back-ups are kept in a secure location away from the business premises.
•
Test the restoration of personal data regularly to check the effectiveness of the back-up process.
Guidance Backups, Get Safe online website www.getsafeonline.org/protecting-your-computer/Backups/
4.8 Monitoring Your business has established a process to log and monitor user and system activity to identify and help prevent data breaches. Your business records events and generates evidence. Not yet implemented or planned Partially implemented or planned Successfully implemented Not applicable Monitoring and logging can help your business to detect and respond to external threats and any inappropriate use of information assets by staff. You should continuously monitor inbound and outbound network traffic to identify unusual activity (e.g. large transfers of personal data) or trends that could indicate an attack. Business systems should be capable of logging user access to systems holding personal data in support of access control policy monitoring and investigations.
A Guide to GDPR 2018
95