The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: When Honoring a "Right To Be Forgotten" Request Do I Have To Delete Personal Data From Backup Systems?
Answer: The GDPR is unclear on this point.
One of the main struggles that companies face when confronting the right to be forgotten is that while it may be possible to delete a data subject’s information from their active servers or their “live system,” most companies keep backups of their information for disaster recovery purposes. Backups may either be stored in static media (e.g., physical backup tapes), or in servers that mirror the live system. Selectively deleting a person’s information poses a challenge in both types of environments.
In the former environment, information about a single person cannot be cut-out of the digital media simply. Instead, the digital media often must be mounted onto hardware designed to read it, and then the entire data set must be read or “restored.” Once the data is restored theoretically a data subject’s information could be deleted, and then the information could be resaved to new backup media for storage. While mounting, restoring, selectively deleting information, and then re-saving data from one back-up media poses substantial difficulties and costs many organizations have dozens, or hundreds, of backup tapes that reflect snapshots of their data over different periods of time. In order to completely eliminate data held by a company about one individual across all the media could require thousands of dollars (or in some cases hundreds of thousands) and significant expenditures of time.
Where a disaster recovery system involves a mirror of the live environment, it may be theoretically easier to delete information about a single person, however, the challenges may still be substantial. While disaster recovery strategies vary greatly, many cloud or co-location based backup solutions involve storing copies of a live environment in archived formats. While a physical tape or disk may not need to be mounted, the archive may still need to be restored in order for the information on it to be accessed and selectively deleted. Once deleted the archive may need to be re-generated. As a result, depending upon the number of archives, and the difficulty of restoring an environment, completely eliminating data held by a company in its backup system may still require thousands of dollars and significant personnel resources.
The net result is that eliminating personal data about an individual pursuant to a right to be forgotten request may not be impossible, but it often times is impractical.
Unfortunately while the GDPR recognizes in the context of other individual rights that a company may not have to fully comply if compliance would involve “disproportionate effort” or “impossib[ility],”1 the section of the GDPR that confers upon data subjects a right to have their information deleted contains no such exception. As a result, additional guidance from the Working Party –an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority –, from member state data protection authorities, and ultimately from the European Court of Justice may be needed for companies to understand how far a right to be forgotten request must be taken.