GDPR and backups: How to handle deletion requests?

By Willem Dewulf, 2 min read

Since the introduction of GDPR, backups have been a hotly debated topic. Many organizations tried to figure out what is required of their GDPR and backup strategy to ensure compliance.

Previously we addressed some of the key implications of GDPR on your Asana backups.

In this blog post we will address 2 issues that are at play with backups and the right to be forgotten.

Problem #1: Does a deletion request include removing data from backups?

GDPR allows an EU citizen to ask an organization to remove any record of personal data.

In the last year, several EU supervising authorities have released recommendations on how to address this issue of GDPR and backup. The Danish authority, the Data Inspectorate, states deletion of record data from backups is mandatory "if this is technically possible." holds that record data does not need to be deleted from a backup.

Additionally, according to a Quantum blog, the French National Commission on Informatics and Liberty (CNIL) said "organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time.” We recommend our Pro Backup clients to communicate this as clearly as possible to their customers. Additionally they should also clearly specify the retention time in your communication with the data subject.

Problem #2: What if a deleted record is restored through an old backup?

The second issue around GDPR and backup is that, should an organization delete a record and then recover from an older backup (containing the now-deleted record), the deleted record will be reanimated and put back into production, making the organization noncompliant.

Therefore we advise our clients to maintain an index of requested deletes - using non-identifiable markers, such as a database row number rather than personal detail - that correspond to a given backup's retention time. This way, should recovery require the use of an older backup containing now-deleted records, the organization can re-delete the records again.