Businesses hold a great deal of personal information about their employees and their customers. Privacy laws create restrictions on how that information should be handled. Those with a need to know from a business perspective are allowed access, but most of your employees–and certainly the public outside of your company–should never be able to view it. While your everyday systems are designed to protect this data, if your disaster recovery plan is not equipped to maintain security, you risk running afoul of privacy laws.
For your privacy preservation needs, you need to create two sides of your plan. First, you need to ensure your disaster recovery plan prevents physical access to data locations. This includes access to your servers and your hard copy files. Too often, in the event of a disaster, this this becomes a neglected aspect of your security. As people move through your building, you have to lock down any server and file rooms that hold personal information on site. The more you can do to preserve the measures in place from a physical security standpoint, the better your plan will do at maintaining privacy.
Additionally, your need to ensure you do not allow access beyond the people who need it for business purposes. A good disaster recovery plan includes contingencies and redundancies in your emergency personnel to ensure all of your business functions can continue. Still, those redundancies cannot allow access to your customers’ or employees’ personal information to go unprotected. Any breach, whether physical or cyber-attack, should meet an immediate response that closes off any unnecessary access to this data.
When you create a disaster recovery plan, part of the process is ensuring that your essential business functions can continue. What many do not understand is that security is not just about what does or doesn’t happen. Security is also about taking proactive steps that are, in fact, part of your essential business functions. Shifting your mindset from rebuilding defenses to maintaining the processes required can really assist your efforts in protecting your data.
Your disaster recovery plan should always work to protect the privacy rights of everyone connected to your organization.