GDPR and Backup: A Potential Minefield Easily Avoided
In their current format it will be impossible for backups and snapshots to comply with the right to be forgotten within GDPR, however systems can be built with compliance in mind.
The right to erasure will also apply to all backups, which in turn would make it impossible to comply with the General Data Protection Regulation (GDPR) as searching for personal data in a backup is very impractical.
According to Andy Barratt the UK MD of security consultancy Coalfire, we can assume that GDPR will only apply to data within the production system and that backups will be exempt.
There are a number of reasons why problems could occur with data that is held in backups and snapshots when there is a requirement to update, rectify or remove data to stay compliant with GDPR.
Data within a backup is not usually stored in its original application format most often it is proprietary. The software can also impact the easy at which data is searched with some systems not allowing this function at all.
In the case of snapshots and incremental backups data is stored in a completely fragmented form “Backups are often point-in-time copies kept in an archive, off production systems,” said Barratt.
“For example, snapshots may comprise numerous deltas of previous copies that contain an entire chain of information about a person. So, they might provide different data depending on what you choose to restore.”
Technically speaking data backups will contain data which is difficult to find and process in respect to the General Data Protection Regulation, however this will only be a problem if it moves to the production systems.
“It is important not to overthink things from the technology point of view,” he said. “To maintain the data an organisation has is in its legitimate interest and the data might only have to pass through the production systems to come under GDPR.”
“So, if we do a restore and the data subject has requested it be erased or corrected, then any relevant data in that restored backup should be dealt with as requested,” he said.
The most important aspect is to ensure production data sets are fully compliant. A good method of doing this would be to store GDPR requests and for these to be applied to the data before it moves over to production applications.
Barratt did recommend privacy-by-design as a solid solution “We’re now seeing developers building GDPR application program interfaces that can process data requests as the data hits the application,” he said. “In the interim, what’s needed is to manage these requests so we know if data hits production and that it can be dealt with as required.”
“More widely, policies are required around the length of retention and erased when necessary,” said Barratt.