The law itself was written by someone unaware of that. A lot of interpretations:
1. The most extreme, go back to all of your backups and delete them too.
2. You don't need to do anything, if you do not touch the backups and truly treat them for disaster recovery.
3. Your backups need to have reasonable retention (e.g. two year) and way to apply post requests after recovery.
4. A lot of in between.
5. My personal interpretation is that in first year of GDPR there will be so many companies that are not even trying to be compliant. Any companies showing any reasonable efforts will be just left alone and at worst heard some recommendations. Of course ad-tracking companies might get screwed, but their business model seems to be incompatible with GDPR.
Also right to erasure can be tricky (e.g. what if you keep records for support/warranty purpose). What you should do if someone exercise their right to be forgotten and than ask you for refund.
In what world is two years worth of backups required for reasonable retention? Either the backups are tiny or the company involved has got more money than sense. I'd see no reason, in any company, for backups to be held for longer than 6 months, and that would be an outside estimate (many companies could get away with only having a couple of months worth of backups).
In Norway you need to keep accounting data for ten years to be compliant with accounting laws so I you lose eight of them you would be in violation.
Edit: I see you mean retention, I guess if you discover after a year that your backup routine is malfunctioning and you need older backups but that is not that common I'd guess.
backups and archive are a different matter. Archives are meant to not be altered; ever (WORM disks[0]). Backups are made to be rewritten, ~~lost~~, or used for restoration.
If you have a lot of data, keeping backups for too long can be costly. But a lot of datasets are small (e.g. few GB) which makes keeping backups for really long time cheap enough.
If you're datastore is small (e.g. SQL table), but supersensitive (E.g. financial data), you may want to keep backups for really long and on medium that doesn't allow easy modifications (e.g. tapes or AWS Glacier).
I know some government (e.g. Poland social security) keep several backups in many locations for many years just as a redundancy.
Answer to point 5: On first glance I would agree with this view, however, there is the factor of market competition you must take into account. If a company only receives a small fine for non-compliance (or is not prosecuted) then its competitor can make the argument that this is anti-competitive conduct as the non-compliant company has saved money through its non-compliance and the fine does not stand in relation to the money saved. Through this argument the fines could increase significantly over a very short timeframe placing great pressure on companies to observe the GDPR. As the money goes to the data protection authorities their ability to prosecute will grow steadily.
I believe (not a lawyer, etc.) that you don't have to delete from existing backups as long as you have a process to immediately wipe the customer details again if that backup is restored (and before any other processing can happen.)
[edit to clarify that you wipe the customer details]
Spot on. There are two major issues with the law as written, backups and conflicts with (possibly local) data retention laws, so right now the local data retention laws will likely take precedence and backups are not going to be in-scope until a lot of low hanging fruit has been plucked.
It's not nonsense, it just isn't quite put down in a way that is practical, on top of that it just makes demands and does not even begin to give guidance on how to comply with those demands which does not help for smaller companies.
1. The most extreme, go back to all of your backups and delete them too.
2. You don't need to do anything, if you do not touch the backups and truly treat them for disaster recovery.
3. Your backups need to have reasonable retention (e.g. two year) and way to apply post requests after recovery.
4. A lot of in between.
5. My personal interpretation is that in first year of GDPR there will be so many companies that are not even trying to be compliant. Any companies showing any reasonable efforts will be just left alone and at worst heard some recommendations. Of course ad-tracking companies might get screwed, but their business model seems to be incompatible with GDPR.
Also right to erasure can be tricky (e.g. what if you keep records for support/warranty purpose). What you should do if someone exercise their right to be forgotten and than ask you for refund.