GRCWatch
Sign inStart free trial

GDPR A32-04: Restore Availability and Access to Personal Data

Data breaches and technical failures don't just threaten compliance—they destroy customer trust. GDPR Article 32 requires you to restore personal data availability and access in a timely manner after physical or technical incidents. This control ensures your organization can recover from disasters without prolonged data unavailability.

What this means

This control mandates that you establish and maintain processes to quickly restore access to personal data following any incident that compromises its availability. Whether facing a ransomware attack, hardware failure, or natural disaster, you must demonstrate the ability to recover data and resume normal operations within acceptable timeframes. This includes having tested backup systems, documented recovery procedures, and defined recovery time objectives (RTO) that align with your business needs.

How to comply

  1. 1.Establish a backup strategy that captures all personal data at defined intervals (daily, weekly, or continuous depending on criticality)
  2. 2.Store backups in geographically diverse locations separate from primary systems to protect against localized disasters
  3. 3.Implement automated backup verification and integrity checks to ensure backups are restorable when needed
  4. 4.Document recovery time objectives (RTO) and recovery point objectives (RPO) for each data system or category
  5. 5.Create detailed, step-by-step disaster recovery procedures for each critical system
  6. 6.Conduct annual disaster recovery drills to test restoration capabilities and identify gaps
  7. 7.Maintain an inventory of all systems containing personal data and prioritize them by criticality
  8. 8.Document access controls and restoration procedures so authorized personnel can execute recovery even under stress
  9. 9.Establish clear communication protocols for notifying stakeholders during data unavailability incidents
  10. 10.Monitor restoration activities and maintain logs of all recovery operations for audit purposes

Evidence auditors look for

  • Backup policy documentation with defined frequency, retention periods, and storage locations
  • Tested backup and restore procedures with documented results showing successful recovery
  • Disaster recovery plan with defined RTO/RPO targets for critical systems
  • Evidence of annual disaster recovery drills including test dates, scope, and outcomes
  • Backup verification logs showing integrity checks and successful restoration validation
  • System inventory mapping all data storage locations and their backup coverage
  • Incident response records demonstrating actual data restoration from backups
  • Retention policy specifying how long backups are maintained and when they're securely deleted

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates backup verification, tracks restoration test results, and maintains audit-ready evidence of your RTO/RPO compliance—eliminating manual tracking and proof-of-compliance headaches during audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR Article 32(1)(a) - Pseudonymization and encryptionGDPR Article 32(1)(b) - Confidentiality, integrity, availability, resilienceGDPR Article 33 - Breach notification requirementsISO 27001 A17.1.3 - Backup procedures