We All Know About GDPR’s Right to Erasure, Does This Mean You Have to Delete Data From Backups As Well?

Written by: Richard Sheinis, Esq.

In this business, we are all familiar with GDPR’s right to erasure (commonly called “the right to be forgotten”) granted by the GDPR.  The question that often comes up is when a data subject exercises their right to erasure, does the organization also have to erase the data subject’s personal data in the organization’s backup system?

Unfortunately, the GDPR does not address personal data in backups with regard to the right to erasure. There is not an exception or a “safe harbor” that allows an organization to maintain a backup when they have received a valid request to erase. This can be disconcerting in view of the difficulty in deleting backup data.  It is not easy nor practical to remove a single record from the backups.  Many backups cannot be searched for a single record, without restoring the entire backup.  An organization must also be careful not to affect the personal data of other data subjects in an attempt to delete the personal data of the data subject who has made the request.

Fortunately, several European supervisory authorities have issued guidance on how to handle backups when receiving a request to erase.  The Danish supervisory authority has issued guidance stating that personal data must be deleted from backups where technically possible.  However, there are cases when erasure from a backup might be technically possible, but is extremely cumbersome and expensive.  It is not clear whether technically possible means at any cost, or only when reasonably technically possible.  If the organization does not delete the personal data from the backup because it is not technically possible, the organization must ensure that the personal data is deleted if the backup is restored to a production system or a production data base.

The UK’s supervisory authority, the ICO, released guidance stating it is necessary to take steps to ensure erasure from backup systems.  Such steps may depend on the organization’s particular circumstances, its retention schedule and the technical mechanisms that are available to delete personal data from backups.  The UK recognizes that data may remain on backups for a certain period of time until the backup is overwritten.  The UK has indicated that they will be satisfied if backup data are put “beyond use” even if it cannot be immediately overwritten.

The French supervisory authority, the CNIL, has indicated that organizations don’t have to delete backups when complying with the right to erase.  However, the organization must clearly explain to the data subject that backups will be kept for a specified length of time, which is usually outlined in the organization’s retention policy.

The import of the guidance from the various supervisory authorities is that if an organization does not delete personal data from backups when there is a request for erasure, the organization needs to document why it is technically not possible for feasible to delete the data from backups, inform the data subject that personal data will exist in a backup, and when the backup will be deleted.  The burden will be on the organization to demonstrate why the backups were not deleted.  The organization should make sure that the personal data from the backup is never put back into an active or productive database and, of course, the personal data in the backup must be properly secured.