One of the more curious things I've wondered about is how the Right to be Forgotten impacts backups.
Obviously, you can't go to a backup (tape) and erase a particular record - at least easily.
How are people addressing this right with backups?
The only thing that would work would be some kind of "register" of those forgotten to ensure you're not pulling out their data when you do a restore or the like.
> DHerrmann (Newcomer III) posted a new topic in GDPR on 02-14-2019 04:18 PM
> One of the more curious things I've wondered about is how the Right to be
> Forgotten impacts backups.
Great question, really.
First off, the "Right to Be Forgotten" (aka RTBF) is hardly a recognized human right. It's a modern construct of the EU legal system (if, indeed, they actually have one) and, therefore, still a work in progress. (Or regress.)
Most of what has been written, argued, and opined about RTBF has to do with search engines. Most of the decisions are slaps and fines against Google for allowing decisions and events to be searchable. (As such, there is a strong case for those who say that RTBF is not actually a right, but a cash cow.) Actual stories don't have to be taken down, just the Google links to them.
If RTBF was actually useful, it would require chasing down, for example, cyberbullying via posting of naked selfies as revenge pr0n. So far I've never seen a case that involves such a thing, so RTBF is still a cash cow for the EU and not a useful tool or concept.
By extension, therefore, backups are not subject to RTBF. As soon as someone or some corporation finds a way to make huge amounts of money charging people for cloud backups, then the EU will extend RTBF to ensure that they can fine the heck of that corporation for keeping backups.
My DPO told me he reads the GDPR regs to require erasing a subject's data from backup media. He's a privacy attorney, and a very good DPO.
Let's assume that his interpretation is correct. How exactly are companies supposed to do this?
Here's some useful guidance on this from the Information Commissioner's Office, the public body responsible for upholding information rights in the UK:
"Do we have to erase personal data from backup systems?
If a valid erasure request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems. Those steps will depend on your particular circumstances, your retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to you.
You must be absolutely clear with individuals as to what will happen to their data when their erasure request is fulfilled, including in respect of backup systems.
It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten.
The key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten. You must ensure that you do not use the data within the backup for any other purpose, ie that the backup is simply held on your systems until it is replaced in line with an established schedule. Provided this is the case it may be unlikely that the retention of personal data within the backup would pose a significant risk, although this will be context specific. For more information on what we mean by ‘putting data beyond use’ see our old guidance under the 1998 Act on deleting personal data (this will be updated in due course)."
@RRehm - that's probably exactly what will be required. But can you imagine running such a process at 2am after a disaster requires backup from tape? You're rushing to get your system back up and running, but you need to wait to discover "forgotten people" and remove them all.
It's definitely a new paradigm, isn't it!