Backups and the GDPR “right to be forgotten”: What to expect

(Part 1 of 2)

The arrival of the European Union's General Data Protection Regulation (GDPR) is imminent: the official cutover date is 25 May 2018. In previous blog posts, we’ve explained the majority of its new obligations and roles, but one question requires special attention: the so-called “right to be forgotten”.

According to the GDPR, a data controller (the person or organization processing the data) is required to offer the right to erasure, also known as the right to be forgotten under certain circumstances, to data subjects (a GDPR-specific term for individuals).

When an EU citizen invokes his or her right to be forgotten, a data controller must erase all of the personal data that it possesses about that person. But a grey area immediately becomes apparent: if a controller is using various processors (such as third-party cloud data storage providers), and some of the data subject’s personal data is being stored by that processor, who is responsible for its deletion: the controller (who originally captured and handled the personal data), or its processor(s)?

The controller clearly must respond to ensure that an individual can exercise his/her personal data rights, which include:

• access (being able to see what the controller and its processors have collected on the person)
• rectification (requesting corrections to any errors
• restriction of processing
• portability
• erasure

Any processor the controller uses is also required to assist with “appropriate technical and organizational measures” to help it honor the data subject’s rights. 

An individual has the right to request erasure of his or her personal data if:

• The data is no longer necessary for the purpose for which it was collected
• The data subject withdraws consent to processing, and there is no other legal ground for processing, i.e., the controller cannot demonstrate an overriding legitimate basis for processing
• The processing is otherwise unlawful.

These are the only circumstances under which a controller is obligated to honor a data subject’s request to be forgotten.

When users exercise their right to be forgotten, they likely expect that any backup copies of their personal data will be erased as well. This presents a technical challenge to controllers and processors. First, an individual’s personal data might be scattered across many applications in a company (e.g., CRM, marketing automation, order entry, etc.) and distributed across several on-premises data stores and/or in the cloud. The backup associated with each application might reside in separate archives. Further, every backup archive typically includes data from many other applications and users.

Usually the original files and backup archives are organized and built in a way that makes it impractical to delete an individual’s personal data entirely without affecting the backups of other applications and users. Deleting one user’s data could adversely affect the protection of many others users’ data – effectively negating the point of performing data backups in the first place.

As a data protection company, Acronis is obliged to preserve backups even in the wake of erasure requests. We operate a global network of data centers in which we store backup archives on behalf of our customers and partners. But Acronis has no visibility into what type of data is stored in these backups, personal or otherwise.

Even if we assume that most backup archives contain personal data that is subject to erasure requests, there are many cases in which Acronis cannot allow modification of the backup archive due to contractual or legal obligations to our customers and partners. In some cases, this is a reflection of the inherent function of backup: to enable the restoration of lost or damaged data from an exact copy that was made at a specific point in time. In other cases, we must preserve backup archives because our partners and customers may be relying on them to honor their own regulatory or legal obligations.

For example, they may be relying on perfectly preserved backups to satisfy e-discovery requests in an ongoing lawsuit, or for compliance with some industry or tax regulation regarding records retention. In those cases, the GDPR recognizes that personal data from backups cannot be deleted immediately in response to a user’s request for erasure because other concerns take precedence over it.

Keep in mind that the primary responsibility for honoring the right to be forgotten remains with the controller. Since restoring a production system from backup could reintroduce that previously removed data, controllers must take steps to ensure that data is again deleted from the production system after recovery.

Honoring a user’s right to be forgotten in backup archives comes down to two questions:

• How can we protect that data while it continues to persist in a backup archive?
• How can we honor GDPR’s principals of data minimization, keeping only the data we need for the minimum amount of time we need it?

To help them honor their obligations, Acronis has some best practices -- as well as several useful features in our data protection products and services -- designed to help partners (including managed service providers who offer backup as a service on the Acronis Data Cloud platform) and their customers (businesses that serve as controllers of EU citizens’ personal data) with this particular challenge of GDPR compliance. We’ll examine those recommendations and the technology we offer to support them in Part 2 of this essay.

Note that this blog post is for informational purposes only. It is not intended to and should not be relied upon or construed as legal advice. You should not act or refrain from acting on the basis of any content in this essay without seeking legal or other professional advice.