The GDPR (General Data Protection Regulation) is a complex law, and as you might have noticed, some aspects appear to contradict each other.
That includes the rules regarding one of the more widely discussed aspects of the Regulation: the right to erasure (also known as the ‘right to be forgotten’).
This right – one of eight enshrined in the GDPR – allows individuals to request that organisations remove any personal data pertaining to them, provided that:
- The organisation no longer needs the data for the purpose that it was originally collected;
- The individual withdraws consent;
- The individual objects to the processing and the organisation has no overriding legitimate interest in the data;
- The organisation collected the data unlawfully;
- The data must be erased to comply with a legal obligation; or * The data was processed in relation to the offer of information society services to a child.
That seems straightforward enough, but in practice the rules are a lot more complicated.
There are instances where organisations can reject the request, and there are a lot of question marks over what to do with backup data.
When users exercise their right to be forgotten, they might assume that all of their data will be removed, including backups.
But it’s often unreasonable to expect organisations to trawl through their entire backup locations to delete data.
Acronis, a software company specialising in backups and disaster recovery, says that the ideal solution is to organise backups so that each data subject gets their own archive.
However, it admits that “this approach is likely to be impractical for many businesses to implement, as an individual’s personal data is often scattered across multiple applications, locations, storage devices and backups”.
Indeed, given how often the right to be forgotten is being exercised regularly, combing through backups to delete information would probably become someone’s full-time job.
- Google wins landmark ruling on the ‘right to be forgotten’
- The GDPR: Consumer rights for your personal data
- Does the GDPR allow you to track biometric data?
So, what are the alternatives? According to France’s GDPR supervisory authority, CNIL, organisations don’t have to delete backups when complying with the right to erasure.
Nonetheless, they must clearly explain to the data subject that backups will be kept for a specified length of time (outlined in your retention policy).
If you decide to go down this route, you should bear in mind that other supervisory authorities might be stricter and that you must be able to demonstrate that it’s impractical to delete backup data.
This will require, at the very least, a risk assessment, business impact assessment and data protection impact assessment.
You should also document policies and procedures for keeping backup data secure, which will include instructions on encrypting sensitive information and where you will keep backup devices.
Looking for more GDPR compliance help?
You can learn more about your data protection and privacy requirements by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.
The updated second edition of this essential guidebook explains in simple terms the steps you must follow to meet the GDPR’s requirements.
It covers everything you need to know about the Regulation, including:
- Data subjects’ rights;
- How to gain lawful consent;
- Managing consent withdrawal;
- Fulfilling DSARs (data subject access requests);
- How to complete DPIAs (data protection impact assessments); and
- Whether you need to appoint a DPO (data protection officer).
A version of this blog was originally published on 21 May 2018.