‘Right to be Forgotten’, Article 17 in the EU General Data Protection Regulation (GDPR) talks about how a data subject has the right to request to remove it from any system. The owner of the system is obligated to remove this personal data without undue delay after receiving the request with some exceptions given in Article17 as well. It should be relatively easy to delete data from an active system, however, what happens to backups and archives stored in potentially different locations. With GDPR enforced, users tend to believe their request to remove personal data applies to data from all repositories, however, this is not the real situation. GDPR does not mention much about deleting data in backups; therefore, organisations usually remove data from the production server and still have copies of the data in backups. Usually, there are many backups across different locations, and it would be impractical to restore a backup, locate the data, delete it and perform a new backup. Furthermore, this will be a continuous process as requests to delete keep coming in.
Although deleting data in the backup is not spelt clearly in GDPR, it does address the data encryption for backups as a part of the Data Protection Act (DPA).
GDPR Data Removal Guidelines
As mentioned earlier, GDPR lacks guidelines on removing personal data from different locations. However, there is a broad statement in Article 17; ”taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data” which indirectly requires an organisation to take necessary measures to remove any personal data. Following are some of the possible measures taken by some organisation after understanding the above statement:
- If the data made public; example data is stored in multiple locations, the organisation should:
- Inform the data owner on the duration of data retention
- Take measures to remove the data permanently after a specified duration
- Provide the data owner access to delete the records from the cloud environment
- Where possible, restore the backup and delete the data stored in the archives. However this may prove impractical as one might have daily/weekly/monthly backups in multiple sites.
Below is a simple guideline for organisations to comply with “requests for erasure”:
- There is a process in place to respond to the request for erasure without undue delay and within one month
- Organisations should be aware of the circumstances of when the time limit to respond to a request can be extended
- Organisations have procedures to communicate to the recipients on the erasure of data shared with them
- Organisations should have appropriate methods to erase information
GDPR and Data Encryption
GDPR recommends pseudonymisation and encryption as the appropriate technical measures to protect the security of personal data. However, it does not say encryption is a must, but it is quoted as an appropriate measure to mitigate risk in order to maintain security and prevent data processing which is not compliant with GDPR. Organisations should have an encryption policy which defines how encryption is implemented on active and backup data. This policy should also highlight the necessary training employees need to undergo to understand GDPR and its implications on data.
The following are the simple guidelines on encryption compliance:
- Use encryption and/or pseudonymisation where appropriate
- Have an appropriate policy in place governing our use of encryption
- Understand the residual risk even with an implemented encryption solution
- Implement encryption meetings known standards like FIPS 140-2 and FIPS 197
GDPR in Database Backups
Backup vendors are facing challenges on how to remove the data from backups to comply with GDPR. The two common concerns are how to actually remove the exact record from the backups and how to ensure this can be done without violating the Data Privacy Act. When a request is made to remove it is easy to perform a DELETE operation on the production servers, however, it would be tedious to remove data from backups stored in various devices in multiple locations. The good news is, GDPR does not enforce immediate removal of data stored in repositories, instead it gives an option to inform data owners on the duration of removal from the various repositories. Although it all sounds easy, the process to restore the backup, retrieve the exact data and then delete is not feasible if the volume of data is huge. If it is a relational database, then the referential key can be used to delete all linked data, however, if it is object storage, it is quite impossible through a bunch of objects. While it is possible to delete, this is a risky process as it can cause the backup to be corrupted and just to delete a single piece of data, the whole backup might have to be deleted; which is not a realistic solution.
Backup Vendor Challenges to Comply with GDPR
- Impossible to destroy all personal data if there are multiple backup copies
- If the data is stored in personal drives of an employee in an organisation, then this data might still stay in the hard drive
- Type of the backup could make it difficult to find the specific data to be removed
- To erase a single record, the whole copy of backup might need to be deleted and this will be a danger for recovery planning
- Data might be corrupted and affects the restoration process
- Backup vendors are not aware of what data goes into the backup, if there is a request to delete the data, it might lead to breaching the data security
- It is time-consuming and can be costly to trace through all the backup copies just to remove a single piece of data
Workarounds to Comply to GDPR
Following are some of the workarounds to comply with GDPR when it comes to removing data from the backups:
- Apply data anonymization. With data anonymization identifiable information from data sets will be removed or encrypted, hence the person the data is describing becomes anonymous and it is no longer personal data. It does not fall under the remit of GDPR
- Inform the data owner on the removal process, its duration, and its impact
- Only keep the necessary data for a required period of time
- Log and document policies, procedures, and actual operations on backup archives to show how the personal data is stored
There is no absolute solution on how backups can comply with the “ Right to be Forgotten” in Article 17. However, organisations should have best practices in place to ensure that personal data is not misused nor it is kept when it is no longer needed. In any case, data owners should always be informed of how their data is kept and removed from the backup, to ensure transparency. Organisations should also train all their employees on GDPR compliance, and how they should handle personal data if they are kept in their personal backups.