[SahAssar]

I fully agree with you, but there are many technical services/platforms that assume things that are not compatible with that thinking. Those will have to change, but they are still not up to speed.

Let me preface my question with the statement that I mostly love the GDPR, and I think it greatly improves privacy and digital rights and I will exercise some of those rights come May 25:th against companies that I feel have needlessly collected data on me.

That said I (as a data controller) think that in many cases that the guidelines are very weak or undefined on subjects like logs or backups. I (as a private individual) think that any deletion request should automatically apply to logs and backups, but also I (as a data controller and...) as a operator of a service see it as a problem to have backups be mutable and have large swaths of data need to be deleted from backups and logs.

Is there any way to reconcile these ideas?

[_o_]

Sorry for late reply. For old data, the easyest way is to burn the tapes and make new backups. Now about new backups, here it becomes nasty as typically they aren't organized granulary enough (but you also need this for exporting the data on user request, so you just need to do it). Instead of backuping the whole databases, backup each users data separately, maybe database partitioning, table inheritance (postgres) or something else, hard to be specific here. Once you did that, backup the data by encrypting them with random key (long enough, we are using 32 bytes of random garbage) for each user while storing those keys on simply modifiable storage, cloud, whatever in triplets. Once the user requests data deletition, just destroy the key. We did it this way and it is great solution (and we DID burn the tapes literaly, luckly we have business data separated physically from everything else from the start).

Logs are destroyed each week and the customer will be notified. Also we anonymize ips and reverse lookups by hashing them, while we still can identify the same visitor.

I hope I was helpful :)

[tatersolid]

If You’re really destroying your logs each week you’re not meeting a lot of regulatory requirements, such as PCI if you accept credit cards.

Most security-oriented regulations, and indeed so-called “best practice”, requires keeping logs for security auditing purposes for at least a year if not longer. They’re often the only tool you have to detect when and how a breach began.