What companies need to consider for secure data storage according to GDPR (2023)

What's the matter?

Over the past two decades, data storage has undergone a transformation. Up to now, companies in particular have mainly backed up their data on their own servers or data carriers. Nowadays they are increasingly setting upexternal service providers with high-performance servers. High data security, fast write and read access and unlimited expansion of storage capacity are just a few of the few advantages. But which storage medium should you rely on for your company? What disadvantages result from the possibilities? And what should you use fordata protectionwhat to pay attention to when storing data and losing data? You can read more about this in our article.

1. Data Storage and Backup: What's the Difference?

At first glance, the term data backup could be a synonym for data storage. But are the terms to be used synonymously? What is data storage? When storing data, data isarchived and stored for the long term. The data remains unchanged.

And here is the difference to data backup: Sensitive data fromPursueshould not only be saved, but above allsecuredbecome. Not every storage location is therefore suitable for data backup.

To prevent a broken data carrier, theGDPRto comply and theIT securityto ensure it is necessary that data is regularlycopied to different mediabecome. This is calledBackup. For example, if the data is no longer accessible on an external hard drive because the hard drive is defective, you can still access the data provided you have made a backup.

How does data storage work?

Information is stored on a data memory. This allows the user to read the information at any time. To save the files, a storage medium or adiskneeded.

There are various ways of storing the data digitallyexternal data media such as hard drives via cloud-based or self-hosted servers. You can read about the advantages and disadvantages of data storage in different storage locations in the third chapter of this article.

2. Data storage according to GDPR: What companies have to pay attention to legally

On-site tracking (link to sub-hub Tracking) is a popular marketing tool. Use it on your site thoughTracking-SoftwareIn any case, in order to collect information from your users or customers, the data collected must beanonymized or pseudonymizedbecome – so it writesGeneral Data Protection Regulationbefore.

It is important that you always keep your website visitors in theCookie Bannerthe possibility of oneOpt-Outsand the user can thus actively refuse tracking and cookies (link to the "Tracking & Cookies" hub).

For companies, thesecure data storageimportant. Once you as a companypersonal datacollect, save and manage, the strict rules of the General Data Protection Regulation (GDPR) apply. In principle, you may only process personal data if the processing pursuant to Art. 6 Para. 1GDPRis required by law. Otherwise you have toObtain consent from the individualwhose personal data you want to process.

Above all, the purpose of the data collection (link to the "Data collection" spoke) must be specified before the data is stored. can be saveddifferent information. This can be a person's name and address, as well as their date of birth and e-mail address.

Data storage: How long is data stored?

In theLength of timeWhen it comes to the storage of personal data, the purpose plays a crucial role. The data can be loudGDPR stored only for as long as they are needed. The principles of storage limitation (Art. 5 Para. 1 lit. e GDPR) and the principle of data minimization (Art. 5 Para. 1 lit. c) play a decisive role here. As soon as the purpose no longer applies, the data records must be deleted immediately (Article 5 (1) (b) GDPR).

Example:The customer of yoursOnline-Shopsregisters with his e-mail address for the newsletter dispatch. You can use the email addressfor the purpose of sending the newsletter emailssave on computer. However, as soon as the customer opts for theNewsletterunsubscribes, you must delete their personal data.

This is to ensure thatpersonal datanever stored longer than necessary. Further deletion obligations result from Art. 17 GDPR. Accordingly, data subjects can have their data deleted upon request or revoke their consent. If you do not comply with this request as a company, you must go with usfines and claims for damagescalculate.

Here it is advantageous if you use one for your companyData storage deletion conceptput on. In this way, you can keep an eye on the corresponding deadlines for the files and regulate corresponding responsibilities among employees.

How do you need to protect the data while it's in storage?

Basically you can use the recordsboth electronically and in paper formstore. Separation of the data that is still actively used is particularly useful for data that you store solely because of the statutory retention obligation.

3. Data storage options

In order for you to securely store data electronically, you needstorage devices. These primarily include DAS storage (direct attached storage) and network-based data storage (NAS). How exactly these work and what advantages and disadvantages they offer can be read below.

Direct Attached Storage (DAS storage)

When you back up records to DAS storage, the information resides on a directstorage medium connected to the PC. As a user of the computer, you have direct access to the data medium. This can be, for example, CDs and DVDs, hard drives, flash drives or solid-state drives (SSDs).

As a file system, the DAS storage is particularly suitable for backing up data fromlocal recordsat. If you want to call up the data together with other people at the same time and/or from any location, this variant is not suitable.

In addition, with this form of data storage, you should be aware that the data will degrade over time due to chemical decomposition processeslose informationcan. This period of time varies depending on the data medium.

Network-based data storage

As the name suggests, data storage takes place herein a networkinstead of. Above all, this cloud data storage offers the advantage that several users can work at the same time andlocation independentcan access the data. Because the information is backed up on a server at a different location, this online data storage is more secure than that using DAS storage.

Network-based storage includes e.g. theNetwork Attached Storage (NAS)and theStorage Area Network (SAN). NAS systems are server services that provide the appropriate file systems that you can access via LAN or WLAN. The data storage consists of one or more server-independent hard disks.

SAN, also called storage area networks, are mainly forHigh-speed transfers of large amounts of databeen developed. SAN is an extension of DAS storage. Using SAN, several servers can be connected to several storage systems via a network.

DAS storage and network-based data storage in comparison

You can see them in our tableAdvantages and disadvantagescompare the individual data storage options:

4. Enterprise Data Storage: Redundant Data Storage (RAID)

As these individual systems of data storage show, it is particularly important for companies to keep the datato secure multiple timesso they don't get lost. A so-called RAID is aredundant data storageon different hard drives. This increases protection against data loss.

Example:A hard drive has a hardware defect. If you have also backed up the records to other hard drives, you still have the ability to easily access the data. If you only want the data on thedefective hard disksaved, they may be broken or incomplete.

The RAID can be indifferent levelsbe subdivided:

• RAID-0:Increased speed by dividing the data sets on two hard disks. In the event of a failure, the data is lost because both hard drives contain different data.
• RAID-1:Protection against failure by storing the identical data sets on two hard disks. If one hard drive fails, the data is still available on the other.
• RAID-5:Data packets are split across three or more hard drives. Parity data is used to check whether there have been any losses during storage. This is how they can be restored. However, if two or more hard drives fail, the data is lost.
• RAID-6:Data storage on at least four hard drives, two of which are used as data backup media. Data packets are otherwise divided. A failure of two hard drives at the same time is therefore not a problem.
• RAID-10:Mixture of level 0 and 1. Storage of the identical data packets on two hard disks. If two specific hard drives fail, the data is still secured. The writing and reading speed here is faster than at level 6.

However, you should note thata RAID cannot replace a backup. With a RAID, the data sets are only protected in the event of a hard disk failure. Software bugs andvirusesbut can still cause lost data.

5. Security risks of different storage media

If you as a company process personal data, proper data backup is essential. Depending on the data medium arisedifferent security risks, which you should consider.