The European Commission's General Data Protection Regulation (GDPR) took effect in May 2018 with the purpose of:
- strengthening the protection of EU citizens' data, and
- increasing their say in how their data is used.
To this end, the GDPR specifies a number of articles that organisations need to comply with. Two of these are relevant to Redstor's services.
According to Article 17 of the GDPR, "the data subject shall have the right to obtain from the [data] controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay".
This right assumes that organisations hold data in a structured way that allows it to be easily searched and deleted. Organisations may have the capacity to search the data they hold, but a search term may be found in several locations, including backup and archive data sets that are kept for data management and protection purposes.
Since complete erasure can be extremely impractical for organisations, France's National Commission on Informatics and Liberty (CNIL) suggests, for example, that an organisation does not have to delete all backups containing a reference to a data subject as long as it can clearly explain to the subject that their personal data has been removed from production systems, and that any relevant backups will expire after the company's set retention time.
The Information Commissioner’s Office (ICO), which enforces the Data Protection Act 2018 (DPA) in the UK, states that it will be satisfied "as long as [the subject's] information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it:
- is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
- does not give any other organisation access to the personal data;
- surrounds the personal data with appropriate technical and organisational security; and
- commits to permanent deletion of the information if, or when, this becomes possible."
However, the ICO encourages data controllers to "work towards technical solutions to prevent deletion problems recurring in the future".
In short, individuals have the right to know what happens to the their data when it is due for erasure. Erasure for GDPR purposes can either refer to (a) the actual deletion of the data or, where this is not possible in backups, (b) putting the data 'beyond use' as described above. As a Redstor customer, you will need to ensure that such data is not reintroduced into production in error, as this would result in the data no longer being 'beyond use; and therefore in violation of the DPA. The ICO explains it as follows:
If a valid erasure request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems. Those steps will depend on your particular circumstances, your retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to you.
You must be absolutely clear with individuals as to what will happen to their data when their erasure request is fulfilled, including in respect of backup systems.
It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten.
The key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten. You must ensure that you do not use the data within the backup for any other purpose, i.e. that the backup is simply held on your systems until it is replaced in line with an established schedule. Provided this is the case it may be unlikely that the retention of personal data within the backup would pose a significant risk, although this will be context specific. For more information on what we mean by ‘putting data beyond use’ see our old guidance under the 1998 Act on deleting personal data (this will be updated in due course).
You may find the following guides useful:
- Article 106 - How to configure roll-ups and retention
- Article 424 - How to delete an Account
- Article 1055 - How to delete a mirrored Account from a MirrorServer
- Article 1099 - How to add or delete a Collection
- Article 1100 - How to add or delete a Group
- Article 1278 - Deleting archived accounts
If you need help deleting data for GDPR purposes, please log a support ticket.
According to Article 32 of the GDPR, "the controller and the processor shall implement appropriate technical and organisational measures to ensure [...]:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident [...]"