How the GDPR “Right to Be Forgotten” Impacts Your Data Protection and Backup Strategy

A recent Harvard Business Review article says that, despite rising geopolitical tensions, cross-border trade rose above pre-pandemic levels in 2022 and will climb faster in 2024. 

That helps explain The Office of the United States Trade Representative's report that U.S. companies exported $592 billion in goods and services to the European Union (EU) in 2022. With so much money at stake, capturing a share of the EU market is a crucial growth strategy for millions of companies worldwide.

If your company does business in the EU, you are subject to compliance with the General Data Protection Regulation (GDPR). This mandate applies to any entity that collects or processes personal data from any person in the EU. And you must be aware of the GDPR’s “right to erasure,” also known as “the right to be forgotten.” 

The recitals in the GDPR covering this right state, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay.”

What About Deleting Backed-Up Data?

The GDPR has devoted this webpage to the long list of circumstances where these rights apply. Compliance with this mandate adds new challenges. But one area where these challenges increase concerns your data backup solutions and strategy. That’s because the GDPR doesn’t specifically address personal data about the right to be forgotten in backups.

But when users exercise their “right to be forgotten” by submitting a Subject Access Request (SAR), they will likely assume all their data is deleted—including backups. But finding the proverbial needle in a haystack that is an individual’s personal data can take tons of time. 

It gets even more complicated when you consider that this personal data may be stored in multiple locations, applications, devices, and backups. Then there is archived data, which may be extremely difficult to find and restore.

The good news is that the GDPR is subject to interpretation. According to France’s GDPR supervisory authority, CNIL, you don’t have to delete backups when complying with the right to erasure. CNIL also confirms that you have one month to answer a removal request. And you don’t need to delete a backup set to remove an individual from it. 

The Danish GDPR supervisory authority says personal data must be deleted from backups where technically possible. But it’s unclear if that means technically possible at any cost or only when reasonably possible. 

Regardless, other authorities may have a stricter interpretation of the regulation, so you’ll need to be able to clearly explain to them that backups are kept for a specified length of time, as outlined in your retention policy. 

The GDPR Toolkit: Simplifying Legal Compliance

The GDPR offers a diversified toolkit that helps you dynamically manage and demonstrate your compliance with the regulation. The toolkit includes records of processing activities, information statements, data protection impact assessments, transfer frameworks, legal frameworks, and certifications or codes of conduct. 

The GDPR requires strong data backup and disaster recovery systems, and you must be able to restore and access personal data promptly if a physical or technical incident strikes you. Arcserve solutions ensure data disaster recovery, and our data backup solutions simplify compliance with these regulations.

The Arcserve Data Protection Officer: Supporting Your GDPR Compliance Efforts

Arcserve has developed a dedicated role—our Data Protection Officer (DPO)—to manage the entire GDPR compliance process. That includes supporting access to your company’s backups to view all email archives, set policies, respond to SARs, and maintain proactive and reactive control of your data.

When you choose Arcserve solutions, you also strengthen your governance, risk, and compliance (GRC compliance) capabilities by ensuring your data is protected and can always be recovered. Arcserve helps businesses worldwide comply with national, regional, and industry-specific mandates centered on customer data protection, collection, and use.

Get Expert GDPR Guidance

Look to an Arcserve technology partner for help establishing sound compliance policies and implementing effective data protection solutions. 

Find an Arcserve technology partner. 

To learn more about Arcserve’s compliance support capabilities, contact us.