Read also: Most people don't know what they have stored — or when to delete it
No supervisory authorities in Europe have initiated formal investigations following the EDPB's coordinated supervisory action on deletion. One of the recurring findings was that companies delete data from production systems, but not from backups.
Technically, it's understandable. Backup systems are designed to preserve, not delete. But GDPR does not distinguish between production data and backup data. Personal data is personal data wherever it is located.
This means that storage times in treatment protocol need to account for the backup cycle. And that you need a plan for how data in backups is actually deleted — or at least made inaccessible — when the storage period expires.
What does this mean to you?
Check if your backup routine has a deletion plan. If the backup is overwritten every 90 days, that might be good enough. If it's permanently archived—you have a problem.
Inspired by: European Data Protection Board