IBM Domino backups and the GDPR “Right to be forgotten”
What happens when an EU citizen requests the erasure of their personal data from an organization which processes the data? This “Right to be forgotten” is one of the “Rights of the data subject” (GDPR, Art. 12 – 23), and arguably the most intriguing one for any organization which seeks compliance with GDPR.
As an organization, you first need to know what personal data you hold, for what reason, and where they are. If you store and process personal data in IBM Domino databases, we highly recommend this webinar by Ytria – GDPR considerations for your IBM Domino environment (slides, video). Ben Menesi did a great job of explaining what GDPR brings to all IT professionals who are responsible for Domino infrastructure and applications.
If such a request for erasure comes, based on a ground contained in Art. 17, you’ll have to find all references to the person who is requesting the erasure, and erase all such information from your system. This means all instances of the data, in all database replicas, on all servers, and on a granular level which suits a specific record (either by deleting a Notes document or anonymizing its content).
A typical question that arises at this point is, “What about the data stored in backups?”
Really, GDPR doesn’t offer an exception for personal data contained in backups. The right to erasure applies to all personal data that an organization holds, with no exceptions. But it would be extremely impractical, if not impossible, to delete individual records or documents from a backup, especially when the backup is sitting on a tape or in cold storage in the cloud.
Time to separate backups from archives
What we should do here is to draw a clear line between creating backups and archiving. The purpose of creating backup is data recovery, not long-term retention. The lifespan of a backup is typically short, as it is overwritten by new copy in a new backup cycle. The new copy reflects all changes in operational databases (including deletions of personal data) within that cycle, so there is no need to intervene in the backup itself.
Archive, on the other hand, refers to a collection of historical records (Notes documents in this case). Its purpose is to provide long-term retention and future reference. These collections should also allow authorized users to delete selected records – be it on subject’s request (Art. 17) or at the end of the retention period for specific records.
Although these collections can be retained in Domino databases, we commonly recommend a different approach: exporting of all historical records out of Domino databases (from both operational and retired databases) into a platform-independent repository. All records saved as PDF + XML files will retain both content and data, be readable in the future, and detached from the system that generated them.
Moreover, such records can be directly handed over to data subjects when they request them on the grounds of these two additional GDPR provisions – Right of access by the data subject (Art. 15), and Right to data portability (Art. 20).
GDPR and records management
If you are responsible for data archiving, your job is to keep records of organization’s history. Now, as GDPR gives data subjects much more control over their personal data, these two objectives may collide.
While the practice of keeping everything and forever used to be an easy option too often, GDPR will definitely change such an established practice – at least for records containing personal data. Even without a data subject’s explicit request, GDPR expects you to keep only what is necessary (“data minimization”, Art. 5), for no longer than is necessary (“storage limitation”, Art. 5).
Some of the good practices that you may consider for reducing the risks of GDPR violation include ALM, consistent data classification, regular archiving of inactive data, and data deletion at the end of the retention period.
For records managers, it’s time to consider GDPR and to re-evaluate their record retention and protection policies.