drx - Fotolia

Manage Learn to apply best practices and optimize your operations.

GDPR right to be forgotten and backups: What are potential problems?

Removing personal data from a database is a simple process, but eliminating that information from full backups could undermine the integrity of your data. Proceed with caution.

The General Data Protection Regulation, which went into effect earlier this year, is designed to ensure the responsible handling of data pertaining to EU residence. One of the trickier parts regarding GDPR is the right to be forgotten and backups.

According to the GDPR, an EU resident can request the removal of his or her data from a company's IT systems. Removal requests can potentially be inconvenient, but there isn't anything especially challenging about removing a record from a database. Backups, however, pose a much tougher issue.

Imagine that an organization creates a full backup of a particular database. The next day, the organization receives a request to remove a certain individual's records from that database. Even if the company complies with the request, the records will still exist within the previous day's backups.

The right to be forgotten and backups present compliance problems. Backup software generally does not have the ability to interact with the data that it is backing up. If a database is included in a backup job, the backup software will back up that database without regard for the data within it. In other words, the backup software neither knows nor cares whether or not the data is fully GDPR compliant.

It would theoretically be possible for a backup vendor to create a tool to remove certain database records from a backup. However, this workaround for the right to be forgotten and backups would present at least two problems:

  • Having a tool to purge certain data from a backup could undermine the integrity of the backup. Just imagine all of the ways that such a mechanism might be exploited by malware or by a rogue employee. Someone with bad intent might use a data removal feature to remove all of the data from a backup.
  • The tool wouldn't scale well. For example, if a company uses tape backup and has 50 cartridges with old backups, would it really be realistic to expect the company to remove data from all of those tapes? Never mind that such an operation might corrupt the tape contents in the process.

One approach for companies regarding the right to be forgotten and backups is to notify customers that their right may not apply to backups. In doing so, however, a company would need to find a way to remove those who wish to be forgotten in the event of a data restoration.

Dig Deeper on Data backup security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What has been the most difficult piece of GDPR backup compliance?
Hi Brian, I read your article on GDPR and the Right to be Forgotten as it relates to backup data. You make a good point about maintaining the integrity of database backups, but I would consider a far larger area of non-compliance sits in the long-term backups of VM images. The backup vendors have had 2 years notice ahead of GDPR, and many did nothing to support GDPR compliance for their clients. From what I have read the regulators will not accept technology limitations in a backup product to limit non-compliance. It’s worth taking a look at the work Asigra have underway in this area mark.saville@data2vault.com
Informing the data subject that their records are being kept subject to regulatory audit or contractual requirement in the back up system should be part of full and fair disclosure that their data is being kept on hand.  The keys are to have a schedule for the duration of the backup after which (you can tell them their data goes away).  Second, tell them that the tapes can not be accessed by company personnel because you have a secure third party tape storage location and the personnel at the storage site cannot access the data because they do not possess the security and retrieval tools to open the stored data.  Third, tell them how you do delete their data - destroy the tape, overwrite, etc.