The GDPR (General Data Protection Regulation) is a big, complex law, and, as it’s only natural that some elements appear to contradict each other.
One of those apparent contradictions involves arguably the most notorious aspect of the GDPR: the right to erasure (also known as the ‘right to be forgotten’).
This right – one of eight enshrined in the GDPR – allows individuals to request that organisations remove personal data pertaining to them, provided that:
- The organisation no longer needs the data for the purpose that it was originally collected;
- The individual withdraws consent;
- The individual objects to the processing and the organisation has no overriding legitimate interest in the data;
- The organisation collected the data unlawfully;
- The data must be erased to comply with a legal obligation; or
- The data was processed in relation to the offer of information society services to a child.
That seems straightforward enough, but in practice the rules are a lot more complicated. There are instances where organisations can reject the request, and there are a lot of question marks over what to do with backup data.
Is all personal data deleted?
When individuals exercise their right to be forgotten, they might assume that all of their personal data will be removed, including backups.
But as you might already know, it can be much too impractical to trawl through various backup locations to delete data.
The right to be forgotten has been exercised regularly, so following through with deleting backups may well end being a time-consuming activity and a major responsibility for one of your employees.
Acronis, a software company specialising in backups and disaster recovery, says that the ideal solution is to organise backups so that each data subject gets their own archive.
However, it admits that “this approach is likely to be impractical for many businesses to implement, as an individual’s personal data is often scattered across multiple applications, locations, storage devices and backups”.
- Google wins landmark ruling on the ‘right to be forgotten’
- The GDPR: Consumer rights for your personal data
- Does the GDPR allow you to track biometric data?
So, what are the alternatives? According to France’s GDPR supervisory authority, the CNIL, organisations don’t have to delete backups when complying with the right to erasure.
Nonetheless, they must clearly explain to the data subject that backups will be kept for a specified length of time, which should be outlined in the organisation’s retention policy.
If you decide to go down this route, there are a few things you should bear in mind. First, other supervisory authorities might levy stronger punishment if you hold on to personal data beyond the specified timeframe and subsequently compromise that information.
Second, you must be able to demonstrate that it’s impractical to delete backup data. At the very least, you should conduct a risk assessment, business impact assessment and data protection impact assessment to prove this.
You should also document policies and procedures for keeping backup data secure. This will include instructions on encrypting backups and where you will keep backup devices.
Commit to GDPR compliance with our pocket guide
Find out more about the right to be forgotten and everything you need to know about the Regulation by reading our GDPR Pocket Guide.
This bestselling pocket guide provides a simple explanation of the GDPR’s terms, and helps you get to grips with its compliance requirements. This includes:
- The six principles that should be applied to any processing of personal data;
- Data subjects’ rights;
- Your data breach notification requirements; and
- The “appropriate technical and organisational measures” you need to take to ensure compliance with the Regulation.
A version of this blog was originally published on 21 May 2018.