backup-retention-erasure

Backup Retention and Erasure Management

Overview

Backup and archive systems present unique challenges for data retention and erasure compliance. Unlike primary systems where individual records can be selectively deleted, backup media typically stores data as monolithic sets that cannot be surgically modified without restoration. When a data subject exercises the right to erasure under GDPR Article 17 or when a retention period expires, the organization must address personal data residing in backups. The technical infeasibility of granular deletion from backups is a recognized limitation, but it does not exempt organizations from their obligations — it requires documented interim measures and eventual deletion through backup rotation or restore-and-delete procedures. This skill provides the operational framework for managing backup data under retention and erasure obligations.

Legal Context

GDPR Recital 66 — Erasure in Online Environments

The right to erasure should extend to cases where the controller has made the personal data public — the controller should take reasonable steps to inform other controllers processing the data. In the backup context, this principle requires that erasure obligations extend to backup copies even when immediate deletion is technically infeasible.

GDPR Article 17(1) — Right to Erasure

The controller shall erase personal data "without undue delay." The EDPB and national DPAs have acknowledged that backup systems may require a longer timeframe, but have not granted an indefinite exception. The expectation is that backup deletion occurs within the next backup rotation cycle.

ICO Guidance on Backup Deletion

The UK ICO has stated that where it is not technically feasible to erase data from backup systems immediately, the organization should:

1. Put the backup data "beyond use" — ensure it cannot be accessed or used for any purpose.
2. Ensure the data is deleted when the backup is next overwritten or rotated.
3. Document the approach and timeframe.
4. Inform the data subject of the backup deletion timeline.

EDPB Position

The European Data Protection Board has acknowledged in various guidelines that backup systems may present technical challenges for erasure. The general position is:

• Immediate deletion from live/primary systems is expected.
• Backup deletion should occur within a reasonable timeframe aligned with the backup rotation cycle.
• During the interim period, the data in backups must be "beyond use" — not accessed for any purpose.

Backup System Types and Erasure Approach

Erasure Strategy by Backup Type

Backup Type	Description	Granular Deletion Possible?	Erasure Approach	Typical Cycle
Full backup (disk-based)	Complete copy of all data to disk storage	Generally no (restoring full backup and selectively deleting is possible but resource-intensive)	Wait for rotation cycle; implement restore-and-delete for urgent requests	Weekly-Monthly
Incremental backup (disk-based)	Only changes since last backup	No	Wait for rotation cycle	Daily
Differential backup (disk-based)	Changes since last full backup	No	Wait for rotation cycle	Daily
Tape backup (LTO)	Data written sequentially to magnetic tape	No (tape is sequential; selective deletion impossible without full rewrite)	Wait for tape rotation cycle; for extended retention tapes, consider restore-and-delete	Monthly-Annual
Cloud backup (managed)	Cloud-based backup service (e.g., AWS Backup, Azure Backup, Veeam Cloud Connect)	Depends on vendor — some support item-level recovery and deletion	Check vendor capability; if no granular deletion, wait for retention policy expiry	Per configured policy
Snapshot-based backup	Point-in-time copies of storage volumes	No (snapshot is immutable)	Wait for snapshot retention policy expiry; ensure policy aligns with retention schedule	Daily-Weekly
Database backup (logical)	SQL dumps, export files	No (dump file is a single file)	Wait for rotation; or restore to temporary environment, delete, re-export	Daily-Weekly
Archive (cold storage)	Long-term archival in cold/offline storage (e.g., AWS Glacier, Azure Archive, tape vaults)	No	Restore-and-delete for erasure requests; or wait for archive retention policy expiry	Annual-Multi-year

Backup Retention Alignment

Aligning Backup Cycles with Retention Schedule

The backup retention period must not exceed the longest applicable data retention period. If backups retain data beyond the retention schedule, the organization holds data in violation of the storage limitation principle.

Backup Retention Configuration for Orion Data Vault Corp

Backup Level	Retention Period	Rotation Cycle	Alignment with Retention Schedule
Daily incremental	30 days	Oldest daily deleted after 30 days	Shorter than all data category retention periods — compliant
Weekly full	90 days	Oldest weekly deleted after 90 days	Shorter than all data category retention periods — compliant
Monthly full	12 months	Oldest monthly deleted after 12 months	Shorter than most retention periods; CCTV (30 days) and unsuccessful applicant data (6 months) may need specific exclusion
Quarterly archive	24 months	Oldest quarterly deleted after 24 months	Covers marketing data (2 years); need to verify no shorter-retention categories are included unnecessarily
Annual archive	7 years	Oldest annual deleted after 7 years	Aligned with longest statutory retention (financial records: 6-7 years)

Gap Analysis

[For each data category in the retention schedule]
         │
         ▼
[What is the retention period?]
         │
         ▼
[Is this data included in backup sets that are retained longer than the retention period?]
   │
   ├── No ──► Compliant — backup rotation will delete data before or at retention expiry
   │
   └── Yes ──► COMPLIANCE GAP
               │
               ├── Option A: Exclude this data category from long-retention backup sets
               │     (segregate data by retention tier; back up separately)
               │
               ├── Option B: Reduce backup retention to match the shortest data category
               │     (may conflict with business continuity requirements)
               │
               └── Option C: Accept interim retention in backups with protective measures
                     (document "beyond use" controls; delete at next rotation)
                     MAXIMUM acceptable overshoot: 90 days beyond retention period

Restore-and-Delete Procedure

For situations where backup deletion cannot wait for the rotation cycle (e.g., urgent Art. 17 requests, DPA enforcement):

PROCEDURE: RESTORE-AND-DELETE
Organization: Orion Data Vault Corp
Procedure ID: BKP-RAD-001

TRIGGER: Art. 17 erasure request where data exists only in backups
         and backup rotation will not occur within an acceptable timeframe

PREREQUISITES:
- All primary system deletion confirmed complete
- Backup system granular deletion confirmed infeasible
- DPO has approved restore-and-delete approach
- Next backup rotation > 90 days away

PROCEDURE:

Step 1: Identify Relevant Backup Sets
   - Query backup catalog for sets containing data subject's data
   - List all relevant backup sets with dates and storage locations
   - Estimated effort: [hours/days]

Step 2: Provision Isolated Restore Environment
   - Create isolated network segment (no connectivity to production)
   - Provision temporary storage sufficient for backup restoration
   - Apply access controls (authorized personnel only)
   - Enable full audit logging

Step 3: Restore Backup to Isolated Environment
   - Restore the backup set(s) to the isolated environment
   - Verify restoration integrity (checksum validation)

Step 4: Execute Granular Deletion
   - Identify and delete the data subject's records from the restored data
   - Verify deletion (query for data subject's identifiers — zero results expected)

Step 5: Create Replacement Backup
   - Export the cleaned data as a replacement backup set
   - Verify replacement backup integrity
   - Store replacement backup in the same tier as the original

Step 6: Destroy Original Backup
   - Delete or overwrite the original backup set containing the data subject's data
   - If tape: degauss and destroy the original tape
   - If disk: secure overwrite of original backup files
   - Generate destruction confirmation

Step 7: Decommission Restore Environment
   - Securely wipe the isolated restore environment
   - Release temporary storage
   - Disable the isolated network segment

Step 8: Documentation
   - Record all steps in the deletion confirmation record
   - Update the data subject's erasure request file with backup deletion confirmation
   - Log total time and resources consumed (for future planning)

ESTIMATED TIMELINE: 5-15 business days depending on backup size
ESTIMATED COST: [Track for each execution — informs cost-benefit analysis]

Interim Protective Measures ("Beyond Use")

While personal data remains in backups pending rotation or restore-and-delete, the following interim measures must be in place:

"Beyond Use" Controls

Control	Implementation	Verification
Access restriction	Backup restoration requests require DPO approval for any data that has been deleted from primary systems or has exceeded retention	Quarterly audit of backup restoration requests
Purpose restriction	Backup data may only be accessed for disaster recovery or business continuity — not for operational use, analytics, or data subject requests	Policy documented; staff trained
Restoration screening	If a backup containing deleted data must be restored for DR purposes, the deleted records must be re-deleted from the restored environment before it goes into production	Restoration procedure includes deletion checklist
Suppression list	Maintain a suppression list of data subjects whose data has been deleted from primary systems. Cross-reference against any backup restoration to ensure re-deletion	Suppression list checked at every restoration event
Encryption	All backup media is encrypted (AES-256). Encryption keys are managed separately. In extreme cases, destruction of the encryption key can render backup data irrecoverable	Annual key management audit
Logging	All backup access, restoration, and deletion events are logged in an immutable audit trail	Monthly audit log review

Backup Restoration Procedure (with Erasure Compliance)

When a backup must be restored for disaster recovery and it contains data that has been deleted from primary systems:

[Disaster Recovery Event — Backup Restoration Required]
         │
         ▼
[Select Appropriate Backup Set for Restoration]
         │
         ▼
[Check: Does this backup pre-date any completed erasure requests or retention expiry deletions?]
   │
   ├── No ──► [Restore normally — no erasure compliance action needed]
   │
   └── Yes ──► [Retrieve Suppression List]
               │
               ▼
         [Restore backup to production environment]
               │
               ▼
         [IMMEDIATELY execute deletion of all records matching suppression list]
               │
               ├── Automated: Run deletion script against suppression list
               │   (pre-built script must exist — test quarterly)
               │
               └── Manual (if automated script fails): Assign to data team
                   with 24-hour SLA for completion
               │
               ▼
         [Verify deletion — zero records for suppressed data subjects]
               │
               ▼
         [Log re-deletion event in erasure confirmation records]
               │
               ▼
         [Resume normal operations]

Compliance Monitoring

Quarterly Backup Retention Audit

Check	Method	Expected Result
Backup retention periods align with retention schedule	Compare backup retention configuration against current retention schedule	No backup tier retains data longer than the longest applicable retention period
"Beyond use" controls active	Review access logs for backup restoration; verify DPO approval obtained for all restorations of post-deletion backups	Zero unauthorized restorations
Suppression list currency	Verify suppression list includes all data subjects deleted from primary systems since the oldest backup set date	100% coverage
Rotation compliance	Verify oldest backup set date matches expected rotation date	Within 7 days of expected rotation
Encryption verification	Verify all backup media is encrypted	100% encryption coverage
Restore-and-delete execution	For any pending restore-and-delete operations, verify progress and timeline	All operations within committed timeline

Metrics Reported to DPO

Metric	Target	Frequency
Average backup retention overshoot (beyond retention schedule)	≤ 90 days	Quarterly
Restore-and-delete completion time	≤ 15 business days	Per execution
Suppression list size (active entries)	Track trend	Monthly
Backup restoration events requiring re-deletion	Track count	Quarterly
Backup sets containing data beyond retention period	Zero (after rotation cycle)	Monthly