Hacker News new | past | comments | ask | show | jobs | submit login

My understanding is that the GDPR “right to be forgotten” does not cover backups. There may be some exceptions, but there are practical limits on its reach.



I believe your understanding is incorrect. GDPR certainly includes storage and processing, both of which backups probably trigger.

Anyway, think about the spirit of the law, and then think about how that interacts with backups. If someone asks to be deleted from your system, you do so, and then you restore a backup with their data, you have clearly violated the intent.


Keep a log of deleted users and re-delete upon restore.

The GDPR contains exceptions for data storage for which it is infeasible or outside reasonable effort to delete individual records or you have legal compliances to uphold.


Isn't the log of deleted users subject to the GDPR then?


You can make a log of deleted users without it containing personally identifiable information, by just storing the IDs.


No since the GDPR exempts things you need for legal compliance, thus a list of users who have asked to be deleted is fine if it's being used to ensure compliance.


Given the fact that backup is a must for almost any system, it would be silly for GDPR to not "cover" backup files.


Interesting, if that's so, can we redefine the underlying Kafka topics as "backups" and achieve compliance by having the stream processors drop "forgotten" records when replaying a topic?


Good luck selling that one to a judge. Let us know how it goes!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: