[theptip]

This "right to be forgotten" requirement is quite staggering in scope. Do I need to dig out all of my offsite tape backups and re-transcribe them to edit out my user's data every time a user requests to be forgotten?

Sibling comments mention a cunning scheme with encryption, but that doesn't really help an enterprise with an existing non-GDPR-compliant backup archive.

[antoncohen]

I asked a GDPR consultant we hired about backups. The answer was basically that the letter of the law requires data to be deleted from backups, but people aren't going to do that, and there is some language about "reasonable" effort or something like that.

This might be useful: http://www.davidfroud.com/does-right-to-erasure-include-back...

[dannyw]

Deletion doesn’t have to be immediately complete; if you rotate backups on a six month period then that’s okay.

At least, that’s what I heard about how a BigCo is doing GDPR.

[numbsafari]

My understanding is that the GDPR “right to be forgotten” does not cover backups. There may be some exceptions, but there are practical limits on its reach.

[sulam]

I believe your understanding is incorrect. GDPR certainly includes storage and processing, both of which backups probably trigger.

Anyway, think about the spirit of the law, and then think about how that interacts with backups. If someone asks to be deleted from your system, you do so, and then you restore a backup with their data, you have clearly violated the intent.

[tscs37]

Keep a log of deleted users and re-delete upon restore.

The GDPR contains exceptions for data storage for which it is infeasible or outside reasonable effort to delete individual records or you have legal compliances to uphold.

[jgeraert]

Isn't the log of deleted users subject to the GDPR then?

[hobofan]

You can make a log of deleted users without it containing personally identifiable information, by just storing the IDs.

[zaarn]

No since the GDPR exempts things you need for legal compliance, thus a list of users who have asked to be deleted is fine if it's being used to ensure compliance.

[eledra]

Given the fact that backup is a must for almost any system, it would be silly for GDPR to not "cover" backup files.

[theptip]

Interesting, if that's so, can we redefine the underlying Kafka topics as "backups" and achieve compliance by having the stream processors drop "forgotten" records when replaying a topic?

[throwanem]

Good luck selling that one to a judge. Let us know how it goes!