Two of the primary aims of the European Commission's General Data Protection Regulation (GDPR) are:
- to strengthen the protection of EU citizens' data, and
- to increase their say in how their data is used.
According to Article 17 of the GDPR, "the data subject shall have the right to obtain from the [data] controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay".
This right assumes that organisations hold data in a structured way that allows it to be easily searched and deleted. Organisations may have the capacity to search the data they hold, but a search term may be found in several locations, including backup and archive data sets that are kept for data management and protection purposes.
When a data subject exercises their right to data erasure from a data controller's records, this means full erasure, even if erasure from certain locations presents a challenge for the data controller. According to the UK Information Commissioner’s Office (ICO), "there is no provision in Article 17 for partial erasure due to technical constraints. If a request for erasure under Article 17 is valid, it will be difficult to justify continuing to hold any version of the data which falls under the request”. Data controllers will therefore get no sympathy for not being able to find records in, and delete records from, their backups and archives.
This is where Redstor comes in. Backups and archives created and stored with Redstor can be searched to make sure that every reference to a data subject is found. The deletion of a set of found references is simple and can be monitored as it happens.
For more information on GDPR, see our website.