When does my organization have to delete personal data under the GDPR?
The GDPR requires organizations to delete personal data in certain circumstances. For example, when your organization has received a valid erasure request (known as the “right to be forgotten”) and no exemption under Article 17 of the GDPR applies. Additionally, data controllers must erase personal data (i) when there is no longer a legal basis for processing such personal data (ii) as a result of a deletion deadline according to their data retention policies, or (iii) at the request of a supervisory authority ordering the controller to comply with a data subject’s right to erasure request.
What personal data have to be deleted?
While it is clear that this erasure obligation covers personal data in production information systems, organizations may well wonder whether this obligation also requires them to delete personal data from backup systems and archives. Many companies keep database backups for disaster recovery purposes (this is an obligation under the GDPR1), and the truth is that it is often not easy nor practical to remove a single record from the backups.
Deleting a backup or manipulating the files therein can be a problem for the integrity of the backup as a whole. For instance, in read-only files, the deletion of any of the data could corrupt other information not associated with the user. Besides, many backup files are compressed and do not allow their contents to be searched or manipulated without restoring the whole backup, making finding and deleting information of a specific individual difficult. Finally, deleting the individual’s personal data without affecting other (non-personal) data that does not have to be deleted is not always feasible because many backup products that allow searches within the backup cannot erase the individual’s data without deleting the whole file or record where the information is contained. Then, depending on the number of archives containing personal data, the difficulty to restore an environment, and the kind of disaster recovery tool used, erasing all personal data in a backup system without scrapping the backup entirely may cost an organization thousands of dollars, and compliance with one request could be somebody’s full-time job.
For these reasons, it is crucial to clarify whether your organization is obliged to erase personal data from backup systems.
In short, yes, it is.
The text of the GDPR does not mention any exceptions for personal data contained in backups and, it does not recognize (as it does in the context of other rights2) that a company may not have to honor an erasure request if compliance proves to be impossible or would involve a disproportionate effort. Organizations must delete the data in all its locations without undue delay.
But don’t panic! Enforcement authorities know how difficult it is to fulfil this obligation in practice.
The Danish supervisory authority issued guidance on data deletion (available in Danish) explaining that personal data must be deleted from backups where technically possible. This may be the case when the backup consists of an uncompressed copy of a database that allows deletion to be performed in the same way as for the live system. If it is not technically possible to delete individual data in a backup, then the organization has to ensure that the concerned data that have been deleted from the production system are again removed in the event that a backup is restored to production. The watchdog recommends, for this purpose, to keep a log of deletions performed in the live system. However, such log should respect the data minimization principle: i.e., instead of containing an explicit reference to the data subject, the log can indicate, for example, that a given row in a table has been deleted at a given time. Also, the authority issued a recommendation to impose a 160,674 Euro fine on a company that failed to ensure and demonstrate (beyond manually updated deletion logs) effective deletion of personal data, including in backup files, among other infringements3. The regulator specified that a retention and deletion strategy must provide for deletion logs in systems and processes to ensure that deletion is carried out based on logs in accordance with requirements as set out in internal procedures.
Similarly, the UK’s supervisory authority (the “ICO”) released guidance on the right to erasure indicating that it is necessary to take steps to ensure erasure from backup systems. Such steps depend on the organization’s particular circumstances, its retention schedule (particularly in regards to backups), and the technical mechanisms that are available to the organization. Importantly, the ICO emphasizes that organizations must be “absolutely clear with individuals as to what will happen to their data when their erasure request is fulfilled, including in respect of backup systems”. It recognizes that while an erasure request can be instantly fulfilled in live systems, the data will remain within the backup environment for a certain period until it is overwritten. In those cases, the ICO has clarified that it will be satisfied if the backup data are put ‘beyond use’, even if it cannot be immediately overwritten. This means that the organization must guarantee that it will not use the data within the backup for any other purpose, this is to say that the data is merely held on the systems until it is replaced in line with an established schedule and it commits to permanent deletion of the information if, or when, this becomes possible4. When data are put beyond use, the ICO considers that it is unlikely that the retention within backups would pose a significant risk, although this will be context specific.
How should this be done in practice?
- As the authorities have stressed the importance of transparency, both your privacy notice and your communications with the data subject should be extremely clear about the limitations of deletion of personal data from backups. Specify that even when the individual has validly exercised their right to be forgotten, there is no longer a legal basis or it is time to delete data according to your retention schedule, their data contained in backups will only be deleted or overwritten at a later time, according to the backup and retention schedule – and indicate when.
- Schedule backups in such a way that the backups are only stored for a specified, limited, and reasonable time.
- Implement an automatic deletion logging system which reminds administrators that certain data must be deleted again after a backup is restored to production, but that still respects the data minimization principle.
- Protect your backups (by means of encryption, secure offsite storage, and environmental controls, among other measures).
The best solution will depend on the technical capabilities of your organization. For example, some cloud solutions allow for granular searching within backup systems. In any case, the American and European privacy and cybersecurity experts at VeraSafe are glad to offer you tailored advice to comply with your obligation to erase personal data. VeraSafe’s professionals can evaluate the risk of arising from your organization’s current deletion practices and assess whether these practices are likely to be acceptable to a supervisory authority. Our technology professionals are careful to take into account your budget, needs, and risk tolerance.
Article 32(1) (c) mentions “ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident” as an appropriate technical and organisational measures to ensure a level of security appropriate to the risk that controllers and processors shall implement.
In relation with the right to inform, recital 62 GDPR provides that it is not necessary to impose the obligation to provide information where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort.
The decision is available in Danish at https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/mar/tilsyn-med-taxa-4x35s-behandling-af-personoplysninger/
The ICO offers further guidance on what is meant by ‘putting data beyond use’ in its old guidance under the 1998 Act on deleting personal data (which will be updated in due course), available at https://ico.org.uk/media/for-organisations/documents/1475/deleting_personal_data.pdf