Backups and the right to be forgotten in the General Data Protection Regulation (GDPR)

A year ago, the General Data Protection Regulation (GDPR) has been introduced by the European Parliament and the Council of the European Union (EU). The GDPR intends to strengthen and harmonize the data protection legislation for all individuals within the EU while addressing the privacy harms emerging from the rapid change of data landscape in the big data era.

The GDPR encompasses some new data protection principles in order to give control back to individuals over their personal data such as the right to object to profiling or the right to data portability. However, the most controversial and widely debated right is the newly introduced Right to be Forgotten (RtbF). The RtbF allows the retroactive erasure of one’s personal data upon its request and from all available places they may have been disseminated.

Of particular interest are the implications of the RtbF for the backup and archiving processes taking place within each organizational unit that handles personal data. Notably, already well-established backup and archiving procedures are affected significantly from the GDPR requirements. Eugenia Politou and her colleagues from the University of Piraeus in Greece analyzed in this article the consequences of the RtbF implementation on the physical and cloud backup procedures along with its impact on the currently widespread protocols and standards adopted in the design of most systems.

Implications for the standards

Although the GDPR allows for some exemptions from the RtbF, it is expected that the well-established international standards (such as ISO/IEC 27000 series of standards) specific backup procedures will most likely be challenged under the law. This is because the concept of backup specified by these standards mandates the storing of exact copies of the data as a fallback mechanism that organizations should use only when things “go wrong.” Hence the standards consider the backups to be immutable and thereby they cannot or should not be edited, as each data modification would affect not only the data but also the entire backup.

Implications for data retention policies

While the GDPR does not mandate a specific timeframe for which personal data must be kept, data have a specific lifespan. Data retention periods are determined by sector-specific business requirements and relevant domestic legislation. Yet, the GDPR obliges the data controllers to ensure that the period for which the personal data are stored is limited to a strict minimum. These new requirements may present some technical challenges mainly since user data are not stored within a single system, but they are spread across multiple applications and storage, off-site and onsite, and they may be found under various forms such as emails, files, database records, etc. This implies that controllers need to search, identify and remove, in an efficient and timely manner any relevant personal data an individual requested to be erased.

Implications for the mediums

 The common practice for backup procedures is to oblige organizations to keep backups in the form of disks, which may vary from optical CDs, DVDs to even Blu-ray discs and hard discs, or in tapes. Tampering with the backups is by no means a straightforward procedure as the stored data might be in a deprecated format, a fact that requires additional effort for efficiently searching through its contents, thus increasing cost and complexity.

Implications for the search services

Current technology seems to fall behind in methods for efficient search algorithms capable of looking across the entire data landscape without any noticeable delays. As a result, for effectively implementing GDPR-compliant backup and archiving search services, the technological limits of data processing are required to be expanded.

Implications for ERPs and analytics

Organizations worldwide have adopted ERP (Enterprise Resource Planning) software in order to automate and manage their business processes. A software solution that collects, stores and analyzes data of personal nature, e.g. related to customers, needs to oblige to data protection laws and hence to the GDPR RtbF provision. Personal data discovery on systems of such magnitude and complexity could require an enormous amount of time and effort.

 

Tampering with backups is not a straightforward process, and it is heavily impacted by the data retention regulations and the mediums used for backups. Hence, applying the RtbF requirements on organizations’ long-term archival storage may not only severely affect business operations on tracking personal information within backed up and archived data, but it will also impose significant challenges on advanced ERP data analytics and automated business decisions. There will be profound implications for the backup standards, which need to be inevitably aligned with the GDPR provisions.

Cite: Politou, E., Michota, A., Alepis, E., Pocs, M. and Patsakis, C. (2018). Backups and the right to be forgotten in the GDPR: An uneasy relationship. Computer law & security review, 34, 1247-1257.

Source: https://www.sciencedirect.com/science/article/pii/S0267364918301389?via%3Dihub