Last updated: 
1 week 2 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Backups, Archives and the Right to Erasure

Monday, September 11, 2017 - 09:35

I was recently asked how the GDPR's Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn't happen.

The key point is that backups and archives are different. Backups exist in case information is accidentally destroyed. Backups should cover all information, but each one only needs to be kept for a short time: essentially however long it will take the organisation to discover the destruction. Since they are only needed when something goes wrong, access to them can be tightly limited by both process and technology. The legal basis for processing is likely to be the organisation's (and its data subjects') legitimate interest in recovering from accidents.

Archives, by contrast, involve long-term storage of the organisation's history. So they should only contain the selected subset of information that constitutes that history. Organisations intend that their archives will be used, so should store them with indexes and structures that make that easy. The legal basis for archives may well be that they are a legal obligation (see Jisc's record retention schedules) or else the legitimate interest in retaining an organisational memory.

Thus provided we don't try to keep backups for ever, or to archive everything, both types of processing should always have a legal basis and the right to erasure shouldn't arise.

Where personal data are being processed based on legitimate interests, the individual is entitled to raise an objection, under Article 21, requiring the organisation to check that its interest in the processing is not overridden by the resulting risk to that individual's rights and freedoms. For backups – with strong security, limited access and a short retention period – the risk should be very low and the balancing test straightforward to satisfy. Placing personal data in an archive may create greater risks, since the intention is that these will form a long-term record that can be accessed by others, so organisations need to ensure that data selected for archiving is clearly necessary for that purpose.