Backups and the GDPR “right to be forgotten”: Recommendations

(Part 2 of 2)

With the European Union’s General Data Protection Regulation (GDPR) officially taking effect on 25 May 2018, there are several questions regarding how the right to be forgotten affects personal data stored in backup archives. We explored these questions in part one of this series, and now we’ll look at how to address them.

As we explained in part one, the issue of honoring a user’s right to be forgotten in backup archives comes down to two questions:

• How can we protect personal data while it continues to exist in a backup archive?
• How can we honor GDPR’s principals of data minimization, keeping only the data we need for the minimum amount of time we need it?

Acronis has several GDPR compliance best practices and product features designed to help its partners (including MSPs offering backup as a service on the Acronis Data Cloud platform) and their customers (businesses that serve as controllers of EU citizens’ personal data) to honor this obligation:

• Where possible, controllers should organize backups so that each data subject gets his or her own separate backup archive for personal data. This is an ideal solution because it enables the granular deletion of personal data without affecting the records of other users. Unfortunately, this approach is likely to be impractical for many businesses to implement, as an individual’s personal data is often scattered across multiple applications, locations, storage devices, and backups.  
• Backup archives should always be stored using strong encryption. That way, even if a backup archive with personal data awaiting deletion were stolen, the thieves couldn’t use it.  
• When individuals request the erasure of their personal data, controllers should be transparent with them about what will happen to the backups: Primary instances of their data in production systems will be erased with all due speed Their personal data may reside in backup archives that must be retained for a longer period of time – either because it is impractical to isolate individual personal data within the archive, or because the controller is required to retain data longer for contractual, legal or compliance reasons. The individual can be assured that their personal data will not be restored back to production systems (except in certain rare instances, e.g., the need to recover from a natural disaster or serious security breach). In such cases, the user’s personal data may be restored from backups, but the controller will take the necessary steps to honor the initial request and erase the primary instance of the data again. Backup archives containing personal data will be protected with strong encryption, so that even if criminals were able to steal the archive, its contents would remain useless to them. Retention rules have been put in place so that personal data in backup archives is retained for as short a time as necessary before being automatically deleted. Records of all data subject requests regarding their personal data will be retained, as will audit logs that record all activities on backup archives containing personal data. This means that the user can be confident that their personal data has been backed up in accordance with GDPR principles of security by design and by default, as well as data minimization, and that their rights, including the right to be forgotten, have been honored.

Acronis will honor the rights of all data subjects regarding their personal data, including the right to be forgotten, when the data is no longer needed for its original purpose or the user withdraws their consent. When a customer asks Acronis that he or she be forgotten, we will delete their personal data (e.g., name, surname, mailing address, telephone number) from our production systems within 30 days if there are no legal grounds for processing it further.

We will delete backup copies of that personal data from our archives as soon as is practically possible, to the extent allowed by our other data retention obligations (e.g., to protect other data stored in the same backup archives, or meet other regulatory or legal requirements). As soon as those obligations have been fulfilled, we will permanently delete those archives as quickly as possible.

Acronis will also retain audit logs showing the history of all operations on the customer’s personal data for the period required by legal obligations. Certain items the user might consider personal data, e.g., entries made on community discussion boards or review pages https://www.acronis.com/en-us/company/awards/#reviews) may be retained according to the Terms of Service that the user agreed to when they posted. Acronis will always take reasonable steps to keep all personal data secure and inaccessible to unauthorized individuals.

Whether you are a controller, a processor, or both in GDPR terms, honoring a data subject’s right to be forgotten is pretty straightforward: if it resides in your production systems, you need to delete it swiftly. But that same data copied into backup archives can be a little trickier to handle: you need to delete it as soon as possible, but may have other obligations to preserve it for longer.

The best way to avoid a potential compliance violation and the stiff fines that come with it is to follow the same general GDPR principals for backups as you do for personal data in production systems:

• Take reasonable steps to keep backup archives safe and secure from prying eyes
• Don’t hold onto archives any longer than you absolutely have to
• Log and document your policies, procedures, and actual operations on backup archives so you can prove you’ve acted in good faith to honor data subjects’ rights regarding their personal data stored in backups
• Be transparent with users about why their personal data in backups might be kept around longer, how you will keep it safe until it can be deleted, and when its eventual deletion will occur.

Note that this blog post is for informational purposes only. It is not intended to and should not be relied upon or construed as legal advice. You should not act or refrain from acting on the basis of any content in this essay without seeking legal or other professional advice.