General Data Protection Regulation (GDPR)

[paulhardy]

Just wondered how many of us have started thinking about the impact of GDPR on backups or rather the potential need to remove personal data from backups at the request of an individual? Although I think its unclear if the data removal extends to all backups but is covered in Acticle 17 ' right to erasure'. I'm not a GDPR expert infact only recently came across the news this comes into force MAY 2018!

https://en.wikipedia.org/wiki/General_D ... Regulation

Interesting world trying to protect against ransom attacks with air gapped backups, as mentioned in Gostev digest, but also the potential conflicting requirement to automate the removal of data.

[Mike Resseler]

Paul,

As far as I see it, this won't be applicable to backups. The right to erasure is important for production data which is "live". However, having a backup of that data does not mean you also need to delete that data from the backups. What happens when you have a legal issue afterwards and you need the data in court?

I hope though things will become more clear in the future

[Gostev]

That would be a nice loop hole if this was applicable to backups! Open a bank account, do some money laundering, and then exercise my right to erasure to delete all traces of me from everywhere, including backups! Ermm no, I don't think this is happening

And let's not forget WORM tapes and storage devices, from which you are physically unable to delete any part of data once you put it there.

[ChrisJ83Knights]

Hi

Does anyone know the official line on this?

I was told it would include backups and that we should only look to be planning for 1 years retention and then the practice management software would deal with GDPR.

I have always worked towards keeping 7 years backups but am unsure how GDPR will affect this.

Many thanks

[Mike Resseler]

Hi Chris,

From what we can see today, backups are included as following:

1) When you store data with is considered personal or sensitive data (customer data for example) then the data of habitants of the European union (the backup) should reside in the European Union (location) and even the backup copy jobs or tapes should be there unless you have a system where the customer (each and one of them) has given you permission to store it outside the US. You need to be able to prove that with reporting

2) You are allowed to have data of such kind on your backups, even if that person already has claimed his right to be forgotten. However, you are not allowed to do a restore of that data (unless in a case of a lawsuit or similar)

Then there is quite some things where you can put your backups at work to prove things for auditors or that your (soon to be appointed data protection officer (DPR)) can use to prove that you are compliant. Reports from Veeam ONE can prove that you are using SureBackup and therefore test regularly to prove that you are regularly test and assess of the effectiveness of your GDPR measures (it is a part of a whole system but certainly proves the backup / DR part already). Another example would be the Protected VMs list report that would give you a proof that you are safeguarding your data (and the data of an individual from the European Union)

So to summarize: As of today, what we know, backups won't be affected that much by the GDPR, however, the Veeam Availability Suite has reports and data that can help your DPR to prove the compliance

Hope it helps and makes sense
Mike

[paulhardy]

Thanks for your feedback everyone

[ChrisCA]

I've been looking into requirements for the incoming general data protection regulations and there's an interesting new set of requirements regarding the right to erasure, where there is an obligation on any business holding individuals data to delete it once it is no longer required, or if requested. I checked with the Information Commissioners Office and they consider that to include removing the data from backups.

This should be interesting...

Is there any mechanism in Veeam to remove data from an existing backup or backup chain?

[Mike Resseler]

Chris,

Who is the information commissioners office? Because from what we know, there is no need to remove that data from the backups. On the contrary, it would make every legal action afterwards impossible. As Anton stated above, we would create the perfect scheme for money laundering.

What we do know is that when you do a restore, you will need to make sure that the data that is erased suddenly does not reappear again.

Anyway, if you would give me some more details about that Office, that would be appreciated as I will investigate further

[ChrisCA]

Hi Mike,

The ICO is the UK's organisation set up originally I believe for the data protection act which is going to be "policing" the gdpr. Anton's point is dealt with on this page - https://ico.org.uk/for-organisations/da ... o-erasure/ under the section "when can I refuse to comply with a request for erasure?".

Your points above sound interesting re being allowed to keep data in backups and that definitely seems to be the best way of handling it. My worry is backup isn't mentioned in the regulations at all, and I had a webchat with a rep from the ICO where he confirmed that data should be removed from backups.

Interestingly there is a loophole where cloud connect repos wouldn't fall under the same requirements, assuming you guys are working on a way to "airgap" backups to vcc

[Mike Resseler]

I think that the ICO rep might not be 100 percent correct. We (at Veeam at least) are continuing to investigate this but as you see for yourself, there is a lot of confusion around this new set of rules. And backup is indeed not mentioned anywhere (besides article 25 but that is about making sure that you can recover the data ).

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed

As long as we are talking about payments, orders and so on... the data remains necessary for accounting and legal and whatever purposes so if there has been some sort of action, then that data certainly should not be deleted.

Feel free to share more information that you received. We continue to look at it and discuss this internally

Thanks
Mike

[ChrisCA]

I'm really hoping the ICO rep isn't correct - can you imagine dealing with this in windows server backup?

Its definitely an interesting problem. There just doesn't seem to be any workable way of achieving what the gdpr is trying to achieve with current backup technology, but without the requirement to remove data from backups the right to erasure seems completely pointless. How do you manage the difference between say a copy of an excel file and a backup?

[dellock6]

I feel like the difference is more in the involved procedures rather than technical. With live data I can just open them and access the information they hold, like in your example, I just need to open the excel file and read its content. With backups, in order to access the data again i need to start or request a restore operation; if this operation is forbidden in some way (it may be technical or simply a procedure) then the data cannot be read again unless the restore is completed.

[Gostev]

What Luca said makes perfect sense. Online data is readily available to all production applications and processes. Backups, on the other hand, are usually impossible to get to (even without GDPR, most companies secure access to their backups very tightly, because it is the easiest way to steal company's data).

One interesting fact here is that erasure of data from production automatically turns "backup" into "archive" (as the very difference between backup and archive is whether the protected data is still present in production). While it sounds like a subtle difference, you have to keep in mind that there are existing legal requirements associated with the data archival when a company is legally required to perform one. For example, to be compliant you must ensure data immutability - that is, at any point of time the archived documents retrieved from the archiving system must be the same as originally saved in the system. In other words, you can't simply delete a person from an archived spreadsheet, because as soon you do this to "meet" GDPR, you will instantly fail at another equally important legal requirement. Catch-22? Although, as I have already noted - purpose-built, certified data archival systems ensure immutability by simply not supporting modification of data (WORM tapes, hardware-based write lock for disk storage, etc.)

[SBarrett847]

This topic has come up in discussion in our company - any legal opinion we've received has told us that we must delete ex customer data, including from Archive tapes. I'm not sure the received Legal opinion is fully cognisant of the Technicality of what this involves.

I think an Official Line from Veeam as to their understanding of the situation would be very helpful for customers, planning deployments, and dealing with Legacy Archives.

[Mike Resseler]

Stephen,

We are also in the process of dealing with legal to get a definitive answer. But that seems to be the issue... Some say it needs to be deleted (despite the fact that if you delete customer data, you are suddenly in an area where you can't prove anything anymore in case of legal issues). Others say that you are not obliged to delete it unless you make the retention for keeping data (depending on your vertical).

We are working on an official statement as we speak, but I prefer to be a bit slower with it to make sure it is correct and not a bunch of nonsense which seems to be more common these days when it comes around GDPR

[CarlMcDade]

Very interesting thread, looking forward to hearing the outcome of this has i too have heard both sides of the story

Cheers

[Mike Resseler]

We are still investigating and a lot of research is being done from our side. I hope to have a definitive statement soon. But one thing is already very clear:

There is no certification and certified GDPR software does not exist. Software can assist a company in becoming compliant (it can deliver reports/ data to prove certain areas in the legislation). In our case, Veeam ONE can already deliver quite some information that your DPO (Data Protection Officer) can use.

More to come after a couple more meetings with different parties

[CarlMcDade]

Thanks Mike!

[JLundgren]

Hello,

Do you have any updated news concerning this topic ?

When listening to lawyers i Sweden, they state that GDPR also includes backup/archive data.
However, no individual can claim the removal of specific information in backed up data files, as long as the reason why the information was stored in the first place, still exist.

This question also interests me when comparing O365 backup solutions.
For instance, Skykick backup storing mailboxes, OneDrive and Sharepoint in Azure with, as I understand it, limitations concerning customer or SP control of the backed up data.

How far have you come in your investigations ?

Regards,

JohnnyL

[Mike Resseler]

Hi Johhny,

The statement around the possibility of removing data from backup/ archive will probably remain open until after the first (major) lawsuit. Some lawyers say it needs to get removed, others say absolutely not as long as... (and you stated that yourself).

For O365, I believe the same applies. A user can ask to be removed (or needs to be removed) so at that moment, you delete the user from production but you can keep the user in backup/ archive for x amount of time (that x will apply to a retention time that applies to another law.) but you cannot "recover" the user back into production. So you need to export the data (to a PST for example) in case it is needed in a legal case

[AzetsDK]

I understand that in the current version, there are no easy ways to delete files and folders from backups.

Is this something you have in the roadmap? It seems essential to be able to be GDPR compliant by May 2018.

Rgds,

Lars

[foggy]

Hi Lars, please review this thread for some information regarding your request.

[paul_parkes]

GDPR - Article 17 gives the data subject the Right to erasure (‘right to be forgotten’).
Paragraph 1, sets out the right, along with the valid reasons to request removal. (They are limited)
Paragraph 2, states that where the data is in the public domain, the controller should take "reasonable" steps to inform other data controllers of the request.
Paragraph 3, states the reasons the request for removal can be turned down. (Paragraph 1 and 2 shall not apply)

• Section (b) states "for compliance with a legal obligation ..."
  Section (e) states "for the establishment, exercise or defence of legal claims".

The biggest impact of the GDPR is that "You should know your data and your processes" and "You should keep the data safe"

GDPR requires you to have a valid reason for keeping and processing data.
If you don't have a valid reason to keep and process data, why are you?

[Mike Resseler]

Paul,
Absolutely correct. The right to be forgotten is not absolute. And even in the case that it is a valid request, it still doesn't mean you need to delete it from your backups. Besides GDPR there is still other laws depending on country, vertical... And after x amount of time, let your backups retire or get deleted automatically. I think I am going to steal your one-line by the way... Your last line is spot-on!

[Davejonesuk]

With the EU/UK introducing GDPR May 2018 an individual has the right to have all data about that person removed from an organisation including backups. Although this should be a very rare occurrence (if ever) for us as we are a UK school. I wondered if veeam had thought about this and the ability to remove an individuals data from a backup(s) leaving the rest of the backup intact? And whether although not possible now, would be possible in future releases of the software. I think this might have been asked before but not as a part of these new regulations.

[PTide]

Hi Dave, and welcome to the community!

It seems that the subject is already being discussed in this thread, please take a look.

Thanks

[Zew]

I've been meaning to talk about this one for a good while but always forgot to make the post.

We are currently going through a file audit at my work, this includes file shares and of course SharePoint. We have been working very hard over the last couple years to ensure that most files are getting their final resting place within SharePoint. As well as working hard to get files that are in progress to be used on Sharepoint as well to utilize versioning, monitoring files changes, access control, all the fun governance stuff that comes with it.

Anyway. So now comes the time we found some files that need to be deleted.

Is there anyway to push this file deleting to old backups to ensure that it can 100% not be recovered?

I know generally Backup and Restore is there to always ensure recovery, but sometimes people don't want to be able to recover a file, ever.

[foggy]

You request looks similar to the ones discussed in this thread.

[mweber972]

Hello,

I was referred by Veeam support, to ask my question here in the Forum.
We need a statement about "GDPR - Will Backup Files be editable?"
According to the EU data directive, this must be possible when it comes to personal data.
Although I have found articles in this forum, but no reliable statement.

Here is the mail of the support in german (original) an in english:

"Sehr geehrter Herr xxx,
Wir bedanken uns bei Ihnen für Ihren Anruf bei Veeam Software – Tech Support.
Um eine Antwort zu der "GDPR / Backup to be editable at file level" Thematik zu bekommen, empfehlen wir Ihnen die Frage via den Foren (https://forums.veeam.com ) zu stellen – dort wird die von den Kollegen von Product Management beantwortet.
Falls Sie Fragen haben, stehe ich Ihnen gerne als Ansprechpartner zur Verfügung."

"Dear Mr. xxx,
We thank you for calling Veeam Software - Tech Support.
In order to get an answer to the GDPR / Backup to be editable at file level topic, we recommend that you post the question via the forums (https://forums.veeam.com) - there the answers will be answered by the colleagues of Product Management ,
If you have any questions, I am happy to be your contact person. "

So please get in touch with someone from Product Management. Preferably in German!

greetings

[Mike Resseler]

Hi All,

First, it is rather important to realize that you are not required to delete files from a backup. I am aware some people say that, but it is not correct. It would be too easy to start doing fraud if that would be allowed

There are however, a few things to keep in mind. When you delete data (right to be forgotten) from the production server because of a request, you cannot restore it afterwards. Which means you need to keep track of what data is deleted.

The right to be forgotten is something that gets a lot of attention (unfortunately) because it is a minor item in the entire legislation. (There are many more items such as protection by design and by default, reporting and so on). The idea around the right to be forgotten is more around the fact that you can opt-out (in case of marketing for example), remove data (in case of facebook or other social media type of services) or similar. For example, some people claim that you can use that right to delete your name from news articles (in case you have done something which you don't want to be seen public) but that won't work. The right to be forgotten is NOT absolute.

I would advice you to watch this: https://www.veeam.com/videos/general-da ... 11236.html
I did this presentation a few weeks ago and it should give you much more information. Afterwards, obviously feel free to ask me questions again

Cheers
Mike