GDPR: Backups, Archives and the Right to Erasure

I was recently asked how the GDPR’s Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn’t happen.

The key point is that backups and archives are different. Backups exist in case information is accidentally destroyed. Backups should cover all information, but each one only needs to be kept for a short time: essentially however long it will take the organisation to discover the destruction. Since they are only needed when something goes wrong, access to them can be tightly limited by both process and technology. The legal basis for processing is likely to be the organisation’s (and its data subjects’) legitimate interest in recovering from accidents.

Archives, by contrast, involve long-term storage of the organisation’s history. So they should only contain the selected subset of information that constitutes that history. Organisations intend that their archives will be used, so should store them with indexes and structures that make that easy. The legal basis for archives may well be that they are a legal obligation (see Jisc’s record retention schedules) or else the legitimate interest in retaining an organisational memory.

Thus provided we don’t try to keep backups for ever, or to archive everything, both types of processing should always have a legal basis and the right to erasure shouldn’t arise.

Where personal data are being processed based on legitimate interests, the individual is entitled to raise an objection, under Article 21, requiring the organisation to check that its interest in the processing is not overridden by the resulting risk to that individual’s rights and freedoms. For backups – with strong security, limited access and a short retention period – the risk should be very low and the balancing test straightforward to satisfy. Placing personal data in an archive may create greater risks, since the intention is that these will form a long-term record that can be accessed by others, so organisations need to ensure that data selected for archiving is clearly necessary for that purpose.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *