Back when GDPR came into effect in 2018, one of the most questioned aspects was about backups. GDPR includes the ‘right to be forgotten’, one of eight rights enshrined in the regulations to enable individuals to request that organisations remove their personal data if:
- The organisation no longer needs that data for the same purpose
- The individual withdraws consent
- The individual objects to how their data is being processed, and the organisation has no overriding legitimate use for that data
- The organisation collected the data unlawfully
- The data needs to be deleted to comply with a legal order
- The data was processed to offer information services to a child.
So far, so good. But in practice these rules have caused havoc for creative SMEs who back up huge amounts of data. There are instances where an organisation can contest a request to delete data, but in practice most small business owners are unlikely to know how these exceptions work.
The confusion over how GDPR affects backups
When an individual exercises their right under GDPR to be forgotten, they’d probably assume that all of their personal data will be removed, including from backups. In reality, it’s often too impractical to trawl through all backups (physical, on hard drives, in the cloud, and so on) to delete data. For most small businesses, dealing with deleting data from various backups could prove seriously disruptive.
Ideally, the organisation should organise backups so that each data subject gets their own archive, but there are again obvious practical limitations. An individual’s personal data might be scattered across multiple applications, storage devices, locations, and backups.
Dealing with data requests involving backups
Since GDPR came into force, France’s GDPR supervisory authority – the CNIL – suggested that organisations don’t have to delete backups when complying with the right to be forgotten. Instead, they should clearly explain to the individual that backups will be retained for a set length of time, which should all be in the organisation’s data policies.
It’s worth noting, however, that other supervisory authorities (which may include the UK) might not take the same view in practice if you hold on to personal data beyond the time limits for dealing with a right to be forgotten request.
The onus is also on you, as the organisation, to prove that it’s sufficiently impractical to delete backup data. That might look like conducting a risk assessment, business impact assessment, and a data protection impact assessment.
You should also make sure you keep regularly updated policies and procedures for how you keep backed up data secure, including how you encrypt that data, and where it’s stored.
As a small business, it’s worth planning how you respond to these kinds of requests well ahead of actually receiving one – that planning could save you time and business disruption in the long run.
Exploring backup solutions, or refining your data policies? We can help. We’re one of London’s leading managed service providers for the creative industries, helping them to grow and exceed expectations through great technology. Contact us to find out more.