Does GDPR apply to backup data?

by
Does GDPR apply to backup data

Data protection and privacy regulations like the EU’s General Data Protection Regulation (GDPR) have significant implications for how organizations store, manage, and protect personal data. This includes data contained in backups and archives.

GDPR does apply to personal data in backups, but with some important caveats. In this article, we’ll cover:

  • What types of data GDPR applies to
  • GDPR’s requirements for data controllers and processors
  • Whether GDPR applies to backup copies of data
  • Best practices for managing personal data in backups under GDPR

What types of data does GDPR apply to?

GDPR applies to “personal data” of EU residents (data subjects). Personal data is any information that can identify a person either directly or indirectly. This includes obvious identifiers like name, address, ID numbers, location data, and online identifiers. It also includes factors specific to “the physical, physiological, genetic, mental, economic, cultural or social identity” of a person.

Some common examples of personal data under GDPR include:

  • Names
  • Email addresses
  • Bank details
  • Posts on social networking sites
  • Medical information
  • Computer IP addresses
  • Photos and video
  • Human resources records

Personal data that has been “pseudonymized” – meaning the person’s identity is masked but could still be determined through additional processing – also falls under GDPR’s scope. GDPR does not apply to anonymized data where individuals can’t be identified.

What are GDPR’s requirements for controllers and processors?

GDPR places certain obligations on organizations that collect and process EU residents’ personal data. These organizations take on different roles:

  • Controllers determine why and how personal data is processed. They make decisions about storing, managing, using, disclosing, and deleting the data.
  • Processors access, handle, or store personal data on behalf of a controller. They follow the controller’s instructions but don’t make decisions about the purposes or means of processing.

Under GDPR, controllers and processors must:

  • Have a lawful basis for processing personal data and document it
  • Only collect data needed for specific purposes and limit access
  • Inform data subjects of data collection through privacy notices
  • Get explicit opt-in consent in many cases before collecting data
  • Appoint a data protection officer (DPO) in some situations
  • Implement data security safeguards like encryption and pseudonymization
  • Report data breaches within 72 hours of awareness
  • Facilitate data subjects’ rights to access, correct, delete, restrict, and transfer their data
  • Maintain detailed records of data processing activities
  • Use Binding Corporate Rules or standard contractual clauses when transferring data internationally

Additionally, data protection by design and default is a core principle under GDPR. This means building privacy into systems and services from the start, using the strictest privacy settings by default.

Does GDPR apply to backup copies of data?

GDPR doesn’t explicitly discuss backup data. However, since backups contain copies of personal data, they’re subject to GDPR requirements.

The key factor is the purpose limitation principle. This states that personal data can only be collected for specified, explicit, and legitimate purposes. It must not be processed in any way incompatible with those pre-defined purposes.

Backups are generally created to enable data recovery in case of incidents like system failures, data corruption, security breaches, or user error. Restoring data from backup is a compatible purpose under GDPR. But organizations still need to consider data minimization. Backups shouldn’t retain personal data longer than needed to fulfill the recovery purpose.

On the other hand, mining backups to profile users or target advertising would violate purpose limitation. So would selling backup tapes containing personal data or disclosing the data to unauthorized parties.

Below are some key factors determining how GDPR’s requirements apply to backup data:

Location of backups

If backup files containing EU personal data are stored on servers physically located within the EU, they’re fully subject to GDPR. This also applies if backups are stored in the cloud, on servers belonging to EU cloud providers or subprocessors. GDPR may have extraterritorial scope if backups containing EU data are stored elsewhere, depending on context.

Data controller vs. processor roles

An organization that manages its own backups of EU data takes on a controller role under GDPR. But if a third party like a managed service provider stores and manages backups on the organization’s behalf, that vendor is a processor. This affects legal obligations.

Anonymization

GDPR doesn’t apply to anonymous data where individuals can’t be identified. Some backup solutions like Commvault incorporate data anonymization features. This can help exclude backups of anonymized data from GDPR’s scope.

Data subject rights

Under GDPR, data subjects have rights like the right to access, erase, or transfer their personal data. Controllers and processors must facilitate these requests. Backups can make this complex if they contain “frozen” legacy data. But organizations still need processes to search backups and fulfill data subject rights where possible.

Data retention

GDPR requires personal data to be kept only as long as needed for its original purpose. Organizations must establish data retention policies and periodically review backup archives. They should securely delete personal data in backups that exceed the retention period and is no longer needed.

Best practices for managing personal data in backups under GDPR

Here are some best practices organizations can follow to comply with GDPR when backing up and restoring personal data:

Minimize data collection

Avoid backing up excessive personal data beyond what’s needed for disaster recovery purposes. Configure backups to exclude unnecessary data.

Anonymize where possible

Mask personal identifiers in backups through encryption or tokenization. Some backup tools offer built-in anonymization capabilities.

Encrypt backups

Encryption protects personal data in backups against unauthorized access. Use strong standards like 256-bit AES encryption at minimum.

Control access

Restrict backup access through role-based access controls, multi-factor authentication, VPNs, physical security controls, etc. This limits exposure of personal data.

Document policies and procedures

Maintain detailed documentation on backup processes, data mapping, retention schedules, access controls, etc. This helps demonstrate GDPR compliance.

Limit data retention

Automate processes to systematically delete personal data in backups exceeding defined retention periods. Don’t maintain backups longer than needed.

Allow data transfers

Have mechanisms in place to export copies of personal data from backups to fulfill data portability requests under GDPR.

Designate DPO

Appoint a data protection officer (DPO) to oversee privacy strategy for backups if required under GDPR based on your organization’s data processing.

Conduct risk assessments

Do data protection impact assessments before implementing new backup or restoration processes that could put personal data at risk.

Report incidents promptly

Have an incident response plan to quickly identify and report breaches involving personal data in backups within 72 hours as required.

Review service providers

When using third-party backup services, review their security controls,compliance, and policies to ensure alignment with your GDPR obligations.

Audit regularly

Conduct periodic audits and tests to identify any GDPR compliance gaps in backup environments. Review policies and procedures.

Using backups to recover personal data under GDPR

Restoring personal data from backup is generally compatible with GDPR as long as it aligns with the original processing purpose and adequate security controls are in place. However, restoring large sets of personal data can create GDPR compliance challenges.

Here are some best practices to follow when using backups to recover personal data under GDPR:

  • Document the lawful basis, purpose, and justification for restoring personal data from backup.
  • Only restore the minimum data needed to accomplish the defined purpose.
  • Use the latest backup possible to avoid retrieving outdated personal data.
  • Implement access controls so only authorized individuals can restore personal data.
  • Mask data during restoration to avoid exposing excess personal information.
  • Encrypt data in transit while restoring from backups.
  • Delete any temporary data copies created during restoration.
  • Promptly inform affected data subjects if a data breach occurs during restoration.
  • If restoring legacy personal data, assess obligations for data accuracy, storage limitation, and data subject rights.

Conclusion

GDPR creates complex considerations for managing backups containing EU residents’ personal data. While backups are still valuable for disaster recovery, organizations must implement appropriate controls around data minimization, retention, security, access, and subject rights.

With well-documented policies, encryption, access controls, retention schedules, and other measures, organizations can support GDPR compliance while still leveraging backups when needed. Striking the right balance is key to limiting data protection risks for businesses and individuals.