Backups and GDPR Compliance
Backups contain personal data, so they fall squarely within data-protection rules such as the UK GDPR. They must be kept secure, retained sensibly and, where required, included when responding to data requests.
This article explains how we keep backups useful for recovery while staying on the right side of compliance.
What the Rules Expect
Personal data in backups is still personal data and must be protected accordingly.
- Backups should be encrypted and access-controlled.
- Retention should be limited to what is necessary.
- Backups must be considered in deletion requests.
The Deletion Dilemma
If someone exercises their right to be forgotten, you cannot easily reach into immutable backups. The accepted approach is to delete from the live system and ensure the data ages out of backups under your retention policy, documenting this clearly.
Frequently Asked Questions
Must we delete someone from every backup immediately?
Generally no — it is accepted to let the data expire under your retention schedule, provided you document the approach.
Does encryption help with compliance?
Yes, it is a recognised safeguard and reduces the impact if a backup were ever exposed.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.