On the legal team's advice, we have pared back the customer-facing GDPR article and instead send users to the Terms and Agreements page on the website. There was some useful framing around GDPR and backups that we thought would be worth publishing internally - the language could be used in conversation with clients, but always reiterate that they need to consult with their lawyer or with someone who knows their locals laws. Momentus Technologies does not provide legal advice.
How does “Right to Forget” apply to data backups?
If an individual requests removal from your database, how should that removal request be handled regarding database backups where that individual’s personal data may reside? This question has been debated many times especially as the GDPR date draws near. To be clear, there is no specific direction within GDPR regarding data backups, so any advice given on this should be taken as opinion and not fact. Hopefully, more direction will be provided once a certification program is developed.
One school of thought is that data backups are not within the scope of GDPR. In Article 4, Definitions, there is an explanation of the term 'processing'. By that definition, backed up data is not processed and therefore does not fall under the scope of GDPR:
“‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
Is this enough to consider data backups out-of-scope for GDPR? There are mixed opinions on this, of course. In the end you will need to decide what is best for your organization.
So, if data backups are within the scope of GDPR, do we need to remove an individual‘s data from all backups every time they request it? Implementing procedures and processes to address this would certainly take its toll on any organization. Because of that, another school of thought on GDPR & data backups is to let the natural turnover of backups address the data removal aspect. This means if you cycle your data backups every 30 days, every 6 months, or annually, this would become part of your removal policy. If a request for removal comes in, your policy would state that removal from the current system is immediate (or close to), while removal from any data backups will occur within 6 months or whatever your turnover time is. What about needing to remove an individual’s data upon request? Due to the hardship that a GDPR removal process on data backups might be, the “reasonable” qualifier used throughout the GDPR law could be used:
“…taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures…"
This means that it is a reasonable step to remove personal data from backups over a longer period of time as long as the personal data is removed from the current database upon request.
Comments
0 comments
Please sign in to leave a comment.