[Symbiote]

This article [1] explains an important distinction between backups and archives.

"Backups exist in case information is accidentally destroyed. Backups should cover all information, but each one only needs to be kept for a short time: essentially however long it will take the organisation to discover the destruction. … Archives, by contrast, involve long-term storage of the organisation's history."

It concludes that it's probably not necessary to delete data from a backup — just keep a record of what requests for deletion were made, in the rare event that restoration from a backup is necessary.

And avoid storing personal data in archives, or else split it out by-person, so it can be deleted if required.

[1] https://community.jisc.ac.uk/blogs/regulatory-developments/a...

[dogma1138]

I’m not so sure about that multiple other vendors have or are in the process of implementing GDPR aware backups EMC/Dell allows you to flag records that will be purged from your backups and Microsoft is implementing pseudoanonymous backups for SQL.

https://azure.microsoft.com/en-us/blog/sql-database-long-ter...

Sure if your backup is only weekly or monthly until the next full one it might not be an issue but many companies keep full backs that span years and even decades.

Just one more point of data the GDPR doesn’t actually define a difference between backup and an archive. The article you’ve mentioned is essentially an untested legal argument that you may use in court if something happens or if the regulator audits you. But all of these arguments have not been tested yet in court and there is a lot of contradictory advice on essentially every part of the GDRP even at the most reputable levels (at this point ask the top 5 law firms in the UK and you’ll get 7 opinions).

[505aaron]

I'm not a lawyer, but that seems like it is open to too much interpretation. I feel like these laws only hurt the little guy. I can't even imagine all of that data that companies pass through third parties, like analytics services. It will be interesting to see how it all shakes out.

Fortunately, I don't have to do deal with it any time soon since I don't do currently do business in the EU.

[sandstrom]

Small nimble companies will have a (relatively) easy time supporting GDPR. I work at a small european tech company with lots of personal information.

Sure, there is some hassle but we’ll be able to adjust with a few weeks of work. Larger companies with more legacy stuff will have a harder time.

Also, the law is easy to read and quite sensible. Plus it’s great for consumers!

[dogma1138]

Larger companies are much more used to dealing with regulatory requirements.

They have huge legal teams and can hedge their risk and they have a relationship with the regulators.

Legacy software is actually a huge plus for the GDPR currently people might laugh at companies that run MSSQL or Oracle but all the major storage and backup solution vendors support record level backups for the database which means that it's easy to purge or anonymise a purged record, it also means that dealing with backups is now a turnkey solution from the likes of EMC.

A small company that run on flavor of the week DB and uses tarsnap for backup might have a much harder time figuring what is what.

Heck there are plenty of small companies that have an IT team of like 2-3 people that handle personal data for 100,000s of people and it might not even know where all of it's backups are.

"How sure you are that that seagate drive in the back of the closet doesn't have a copy of your database form 2 years ago?"

And most importantly small companies don't have the resources nor the knowledge on how to handle information requests under the GDPR.

I laughed about the idea of having launching handling the information requests as a service platform if I was crazy enough to come up with a way to actually make it work under the GDPR.

When I think of the GDPR what I see is potentially a lot of companies getting screwed over because they don't know any better as regulation of this extent usually only involved giants.

Say you are a company of 15-20 people you get a letter like this: https://www.linkedin.com/pulse/nightmare-letter-subject-acce... What are you going to do? Do you have a data protection and a privacy officer? probably not.. so now it's another hat that some one in your company needs to wear and I really pity the person who'll take this level of legal responsibility on themselves without having the right background, training support and more importantly time.

While this letter might not be pleasant such a letter would be a breeze to many large companies I work for a US financial institution (based in the UK).

This isn't any different than some letters we might get from a regulator or a customer/partner and there is essentially a production line overseen by both inhouse and external legal counsel.

There is a CIO and there privacy officers and compliance officers and champions in each department / team the entire process is essentially automated in an internal ticketing system which will go through a pre-defined workflow and invoke the right people and automated resources (e.g. data discovery), heck for like 90% of those questions we would have premade answers which were signed off by compliance and legal that are maintained upto date.

If you work for a small company and you don't have all these processes set up, you don't have legal counsel I really feel bad for you this isn't something that you can just wing it.

These large legacy companies were working on their GDPR compliance for years any company with a risk department with a pulse would've kicked of a steering committee / SWAT team in March of 2014 as soon as the initial draft was passed and kicked into full gear in 2016 when the final version was approved if not earlier.

I'm willing to bet you that there is a non-negligible number of small companies that didn't do anything as of april 2018 and many more that their GDPR preparation was having a few dev/devops folks sit through a webinar.

I'm really hoping that neither the former or the latter is the case for you but in case your statement "Sure, there is some hassle but we’ll be able to adjust with a few weeks of work." wasn't in tongue and cheek you have less than 50 days to prepare as the GDPR comes into effect on the 25th of May.

[zandor]

> If you work for a small company and you don't have all these processes set up, you don't have legal counsel I really feel bad for you this isn't something that you can just wing it.

But that is exactly the point. If a smaller company does not have the resources (both costs and competence) for something like this, then they should not be handling personal data at all. How would the same excuse sound if they don't have the resource to even secure personal data? Being too small is simply not a valid excuse.

[dannyw]

At a medium sized company, every single engineer received a hour’s worth of training on GDPR and teams were created to oversee implementation and compliance since 2016. GDPR definitely benefits big companies.

[rdtsc]

I imagine it is a non-linear graph. A really small company can probably assign someone to through the backups, unpack them, delete the user, re-backup everything mostly by hand. I assume a small company also means less data here. A medium size company that has more customers, and a more data collected might be at a bigger disadvantage. Not big enough to have a dedicated team on this task, and not big enough for a large legal department, but big enough to be swamped by requests and not process them in time and so on.

[dogma1138]

It's not that simple because there isn't a single type of small company.

Let's take 2 examples:

1) A small startup that has 20 employees have been around for say 2 years and likely have been serving a fairly small number of customers for a fairly limited amount of time say 6-12 months.

They are both technically capable and small enough to maybe adapt without breaking too many laws.

2) A small retailer/speciality trader with 8 employees that has been in business for 30 years, has digitized records from the 90's has been taking orders via the phone for that duration and had a computerized ordering system singe the mid 90's. They operate their own website on some ecommerce platform and do all the books, accounting and billing in house via some SMB accounting software e.g. Sage Books/Accounts/50 etc....

Over those 30 years they might have collected information from 10,000's or even 100,000's of individuals.

Number 2 is the real problem because these types of companies outnumber the tech bootstrapped startups what a 100 to 1? 10000 to 1? and there are plenty of small businesses that never really grow beyond their immediate market but still are successful enough to remain in business for decades.

On May 25th I can send a Subject Access Request letter to my fucking dry cleaner and they will be legally obliged to handle it within no later than one month, if that isn’t a kicker the I don’t know what is.

[kuschku]

> data that companies pass through third parties, like analytics services

That's exactly what this law was meant to prevent.

[IAmEveryone]

The right to demand deletion has actually been the law for several years now. I run a small online retailer with a few thousand customers. In 10 of business, I’ve seen one or two such requests. It takes about half a minute to anonymize the data we store.

[madez]

A promise not to touch data is not a deletion. If you can recreate the private data from backups, you did not comply with the deletion request.

[ewjordan]

Most lawyers seem to be advising the opposite, though, and say that backups are ok - do you have some knowledge here, or are you arguing the spirit of the law?

[IAmEveryone]

Backups are fine because they are short-lived. You obviously have a reasonable amount of time to implement a request for deletion, say a week or two.

If you are keeping year-old “backups”, that’s actually an archive. The difference shouldn’t be too difficult to understand because year-old data is obviously useless if you have restore your database.