undefined | Better HN

0 pointshenrikschroder7y ago0 comments

I think the UK agency had some text on erasure and backups, and it basically boiled down to this:

If a data subject requests their data to be erased, you should remove their data from active systems so that it is no longer being processed, but you don't have to remove it from backups or other passive systems. You should however store some sort of marker so that if you need to restore data from backups, the data subject's data will be re-erased or otherwise stopped from entering active systems again.

And if a data subject asks, you have to tell them how long you store your backups of their personal data.

I think that's perfectly reasonable. And if your backup retention policy is "forever", now might be a good time to re-evaluate that policy.

0 comments

Silhouette7y ago

Neither the UK nor the EU previously had any general provision for a right to erasure. At EU level, considerable waves were made when the "right to be forgotten" ruling was issued, but that came from a court that was considering a specific case.

j / k navigate · click thread line to collapse

0 pointshenrikschroder7y ago0 comments

I think the UK agency had some text on erasure and backups, and it basically boiled down to this:

And if a data subject asks, you have to tell them how long you store your backups of their personal data.

I think that's perfectly reasonable. And if your backup retention policy is "forever", now might be a good time to re-evaluate that policy.

0 comments

Silhouette7y ago

j / k navigate · click thread line to collapse