🚨 Use our FREE data vulnerability scanner. Identify and fix DNS issues. Start Your Scan

The Essential Guide to GDPR Data Protection Backups: Safeguarding Personal Information

September 4, 2023

Written By:

profile photo of Rob Stevenson

Rob Stevenson


keyboard with a GDPR button

General Data Protection Regulation (GDPR) originated in the European Union but remains intact in the United Kingdom. Regardless of location, any data controller or data processor must comply with it if they engage in personal data processing on a data subject in the UK or EU.

GDPR supports vital data protection principles and human rights regulations by giving consumers control over who can have their personal data online, how those companies use it, and where they transfer the data.

GDPR includes the “right to be forgotten,” which requires organisations to erase personal data at the consumer’s request. This is a powerful data protection tenet, and companies must understand the right to be forgotten and how it affects the information they retain about a data subject.

It’s also imperative for organisations to understand how GDPR affects data breaches and whether companies will be held liable for backup data if a data subject requests their personal data erased.

Below, we’ll provide a general data protection regulation compliance checklist to help you understand your responsibilities according to GDPR and how it affects data backups.

Understanding GDPR data protection requirements

GDPR was created to protect data subjects’ rights. Those rights begin with the right to request that their data is not collected in the first place, and companies have a legal obligation to ask permission before collecting information on a data subject. Companies – referred to as the “data controller” in GDPR terminology – must also remove any personal data relating to a data subject if they receive a right-to-be-forgotten request.

GDPR stipulates that data gathered by information society services, such as eCommerce websites or social media platforms, must obtain valid consent for data processing, provide transparent privacy policies, and ensure personal data remains safe and confidential.

Any data gathered before GDPR was signed into law should be revisited, and data controllers should ensure that it is only kept on a lawful basis, as defined in GDPR Article 6 as consent, contractual necessity, legal obligations, legitimate interests, and public interest tasks. Pre-GDPR data should be removed from your archives as soon as it is no longer needed for the task that initially prompted its collection.

Some data may need to be subject to re-consent by the data subject. If you decide to keep archived personal data, it should be protected by technical measures like data encryption, access controls, regular security assessments, and staff training on data protection.

Consider conducting a Data Subject Impact Assessment (DSIA), which will help you identify which data poses a high risk to an individual’s privacy and rights and allow you to mitigate risks. Hence, you stay on the right side of GDPR.

As always, keep accurate, detailed records of data processing activities and conduct regular backups of your records.

The role of data backups in GDPR compliance

Data controllers often misunderstand data backups in the context of GDPR. Unless your organisation has received a right-to-be-forgotten request from a data subject, there is no need to delete archived data. It is actually often impossible or not practicable to delete data from a backup even if a person has requested it.

If a data subject objects to your retaining their information, you may still be allowed to keep it in certain circumstances. Deleting data when requested without undue delay is considered ethical but not all backups will allow you to even delete the data making it an impossible and impractical task.

There is, however, a legal obligation to care for that data with integrity and confidentiality. Data breaches or loss have severe consequences for data controllers, including hefty fines and regulatory audits. You also leave your organisation vulnerable to legal suits by affected data subjects, which can be costly to the point of fatal for businesses.

Backups help businesses comply with GDPR

A robust backup strategy helps mitigate risks to both data subjects and data controllers. It ensures data protection by keeping data intact and available whenever requested. It helps with data recovery in the event of data loss, quickly restoring data to a previous state.

GDPR requires that organisations store personal data only as long as it is needed for the specified purpose. A sound backup strategy ensures organisations retain data until no longer needed and delete it per their legal obligations at the end of the retention period.

In the section below, we’ll offer our best practices for conducting data backups that provide data protection for your consumers and legal protection for your company.

Best practices for GDPR-compliant data backups

When it comes to GDPR compliance, your backup strategy needs to be informed, purposeful, and expertly executed.

Encryption is essential

For starters, encryption of your data is essential. Encryption ensures that, even if your data falls into the wrong hands, it is completely unintelligible and useless without the decryption key. This minimises organisational risks and is also a tenet of GDPR compliance.

Keep decryption keys safe by storing them securely, and never transfer any data – especially off-site – without robust encryption.

Store securely

Backed-up data should be stored in a physically secure site, and only a few personnel should be authorised to access it. Virtual access should be heavily restricted with authentication measures like two-factor authentication. Access logs and an audit trail should be in place to track any access to the data, and those should be reviewed routinely.

Revisit retained data

Under GDPR, companies are required to delete or anonymize data when it is no longer necessary for its original purpose. Any undue delay in honouring that principle of data protection could be punishable.

Protect your company by developing a clear data retention policy that states your case for retaining data as it applies to your business needs. Then, when that need has expired, delete or anonymize personal data immediately.

Update your backup processes regularly

GDPR may change over time. Certainly, it’s true that hackers and online ne’er do wells are constantly changing tack to steal personal data. So, you must keep checking and rechecking to ensure that your backup processes are relevant, modern, and fit for purpose.

Regularly test your backup processes to ensure they are performing their functions. Test the data you back up to ensure its accuracy and reliability. Go through a practice “restore from backup” procedure regularly to ensure you can trust the process to work when needed. And keep attuned to shifting GDPR requirements.

Choose a backup partner that offers complete peace of mind

Working with a reputable, proven backup vendor ensures reliable data protection. You want a partner in providing safe data and GDPR compliance – one with a strong track record of data protection and a commitment to continually optimising services to respond to developments in the field.

At BackupVault, we are well-versed in GDPR. Our clients enjoy peace of mind knowing their data is safe, and their GDPR compliance is assured.

If you want to join their ranks, take us for a spin with a free trial.

GDPR backup strategy checklist:

✅ Ensure your website includes a GDPR-compliant cookie consent form.
✅ Compose and publish a robust data privacy policy, and ensure the data you retain is safe and confidential.
✅ Conduct a data audit in which you find and remove any personal data collected before GDPR if it is no longer being used lawfully according to GDPR Article 6.
✅ Consider obtaining fresh consent for retaining and processing personal data.
✅ Backup your detailed, accurate records of all data processing.
✅ Backups should be encrypted, and decryption keys stored securely. Off-site data transfers should also include encryption.
✅ Store data safely in a secure physical location and limit physical and virtual access. Keep accurate logs on who accesses data, when, why, and what they do with it.
✅ Conduct regular data audits to ensure your data is still needed and legally retained under GDPR.
✅ Regularly test your backup procedures to ensure they work when needed.
✅ Change and update your backup procedures to ensure complete data protection and alignment with GDPR.