19 Mar 2019
In the pre-GDPR panic, and the post-GDPR haze, there were seemingly endless emails flying around asking recipients to update their details and contact preferences. Then it all went quiet for a bit, and then someone put their hand up and asked, ‘what does GDPR mean for personal details held in backups?’ That is a very good question, because very few people had actually considered it – and it’s especially pertinent when we bring people’s ‘right to be forgotten’ into the debate.
We also need to factor in cloud backups, and how difficult it can be to remove specific identifiers and information from large blocks of data that don’t mean anything when they’re restored.
How do cloud backups work?
Backing up your data with a backup service, such as a secure cloud backup, is pretty straightforward. You simply decide what data you want to ‘copy’ and store to keep it safe, and it’s accessible in the event of a system or software failure. It’s also being protected against hackers, malware and viruses. Cloud backup is understandably popular, as it entails removing data offsite to a managed service provider such as BackupVault. Then it’s in the hands of experts, and a further step removed from on-premises hardware, although it’s typically employed as well as, rather than instead of, a physical on-site backup.
One major benefit of using cloud backup is that it can make managing a backup system easier – you hand it over to a specialist provider that takes responsibility for its safety. But in the context of GDPR, and being able to locate and remove specific items from any kind of backup – including a cloud backup – things can become more complicated. Specifically, the ‘right to erasure’ or ‘right to be forgotten’ that GDPR has a keener focus on, can actually be very difficult to honour. Some say it’s just not possible in some cases, and that GDPR fails to acknowledge some of the basic limitations of physical and cloud backups. However, with BackupVault we are able to give users the ability to search for data within a backup and remove this data if required.
What is the ‘right to erasure’ or the ‘right to be forgotten’?
Put simply, anyone can ask whoever holds their personal data, to remove it from their systems – and that includes personal data in any backup. It’s a fundamental right based on individuals owning their data and having control over who can view or use it. This is what’s been causing consternation since GDPR, as specific data can be easy to remove at its primary source (such as a database or spreadsheet), but much harder to isolate and extract from a backup. For example, it may be on a tape backup, or in a compressed or encrypted file in a cloud backup. It may be in several places to ensure it’s not lost, but this can make ‘the right to erasure’ or ‘the right to be forgotten’ very tough to enforce.
What’s more, in the vast majority of cases, personal data on employees, or existing or potential customers, does not have its own dedicated file for each individual. Each individual’s data is just a tiny part of a much larger file, and often appears in several different files according to different criteria. In short, it may be safe, but it can be very tricky to isolate and remove. The most obvious technique would be to restore these larger files from a backup, and then search for and remove them. On a small scale, that’s fiddly but achievable. For larger businesses and organisations, or for holders of ‘big data’, it becomes very fiddly, and arguably unachievable.
Can a ‘right to be forgotten’ request be refused?
Generally speaking, no. However, if a customer makes a request to be ‘forgotten’, the business may still need to hold aspects of that data for compliance reasons, or to continue providing a service. There are also some circumstances where the data holder can refuse the request, such as if the information held is necessary in order to exercise of the right of freedom of expression and information, or to comply with legal obligations or in the exercise of official authority for the public interest. But in the vast majority of cases, the request must be honoured… so if it’s verging on impossible to achieve, what’s the solution?
Do you have a data retention schedule?
The reason we ask, is that having a data retention schedule can make backups more efficient and leaner, and therefore make ‘right to be forgotten requests’ easier to carry out and confirm. A data retention schedule can even incorporate a strategy to automatically remove all personal data held for longer than a set period. Of course, it depends on the nature of your business, but it is one way to make life a lot easier when it comes to managing large volumes of data, and locating specific files in backups. Also, if customers know that their personal data will be removed after a set period – based on clear criteria – they might be less likely to actively request its deletion.
If you want to retain that data, but make it more accessible, you can always use archive software. This option is one that many businesses overlook, but it’s a great way to hold on to customers’ personal details securely without them clogging up your backups unnecessarily – and to make those details far easier to locate and delete if required.
How to best handle backup files since GDPR is an ongoing debate, and quite a complex one. Speak to your backup provider to make sure you’re doing what you can to make personal data management easier, and handle ‘right to be forgotten’ requests correctly.
Backup Vault provides fully automated, hassle-free, UK-based backup services to organisations all over the world – from small business to global brands, to public-sector clients and large corporate enterprises. Find out more.