We help IT Professionals succeed at work.

GDPR and/or CCPA Data Deletion Request and Backup Sets

David Mundt
David Mundt asked
I've got questions about GDPR and CCPA data deletion requests and backup sets. Its pretty straight forward to remove a person that has asked for data deletion from our production environment. My problem is our backup set and machine snapshots stored in AWS or Azure. I cannot find much information about whether or not we would be in compliance if we didnt delete data contained in encrypted/password protected incremental backup sets. Does anyone have any experience with this?
Watch Question

You do not need to delete the data from the backups as this is often technically impossible. Your formal restore procedures should include a mechanism or rule that if the data is restored from backup, you delete the data immediately again. So you need to keep some trail of what data needs to be deleted again.
Also evaluate your backup retention times. These are often much too long.
David MundtDirector of Information Technology


we spoke with a CCPA Attorney and you're 100% correct. Thank you!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.