GDPR and/or CCPA Data Deletion Request and Backup Sets
I've got questions about GDPR and CCPA data deletion requests and backup sets. Its pretty straight forward to remove a person that has asked for data deletion from our production environment. My problem is our backup set and machine snapshots stored in AWS or Azure. I cannot find much information about whether or not we would be in compliance if we didnt delete data contained in encrypted/password protected incremental backup sets. Does anyone have any experience with this?
You do not need to delete the data from the backups as this is often technically impossible. Your formal restore procedures should include a mechanism or rule that if the data is restored from backup, you delete the data immediately again. So you need to keep some trail of what data needs to be deleted again.
Also evaluate your backup retention times. These are often much too long.
Also evaluate your backup retention times. These are often much too long.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial