The EU General Data Protection Regulation (GDPR) is a big, complex law, and, as is only natural, some elements appear to contradict each other. One of those contradictions involves arguably the most notorious aspect of the GDPR: the right to erasure (also known as the ‘right to be forgotten’).
This right – one of eight enshrined in the GDPR – allows individuals to request that organisations remove any personal data pertaining to them, provided that:
- The organisation no longer needs the data for the purpose that it was originally collected;
- The individual withdraws consent;
- The individual objects to the processing and the organisation has no overriding legitimate interest in the data;
- The organisation collected the data unlawfully;
- The data must be erased to comply with a legal obligation; or * The data was processed in relation to the offer of information society services to a child.
That seems straightforward enough, but in practice the rules are a lot more complicated. There are instances where organisations can reject the request, and there are a lot of question marks over what to do with backup data.
When users exercise their right to be forgotten, they might assume that all of their data will be removed, including backups. But as you might already know, it can be much too impractical to trawl through various backup locations to delete data. The right to be forgotten is expected to be exercised regularly, so if you were to follow through with deleting backups, complying with this request would probably become someone’s full-time job.
Acronis, a software company specialising in backups and disaster recovery, says that the ideal solution is to organise backups so that each data subject gets their own archive. However, it admits that “this approach is likely to be impractical for many businesses to implement, as an individual’s personal data is often scattered across multiple applications, locations, storage devices and backups”.
So, what are the alternatives? According to France’s GDPR supervisory authority, CNIL, organisations don’t have to delete backups when complying with the right to erasure. Nonetheless, they must clearly explain to the data subject that backups will be kept for a specified length of time (outlined in your retention policy).
If you decide to go down this route, there are a few things you should bear in mind. First, other supervisory authorities might be stricter. Second, you must be able to demonstrate that it’s impractical to delete backup data. At the very least, you should conduct a risk assessment, business impact assessment and data protection impact assessment to prove this. You should also document policies and procedures for keeping backup data secure. This will include instructions on encrypting backups and where you will keep backup devices.
Want to learn more?
You can find out more about data subjects’ rights under the GDPR and how to meet these requirements by reading our free green paper: EU General Data Protection Regulation – A Compliance Guide.