AOMEI Honors "the Right to be Forgotten" of GDPR

The General Data Protection Regulation (GDPR) will come into force on May 25, 2018. The key principle of GDPR is giving consumers control of their data.There are several suggestions about how the right to be forgotten affects personal data stored in backup archives.

The issue of honoring a user’s right to be forgotten in backup archives comes down to two questions:

1.How can we protect personal data while it continues to exist in a backup archive?

2.How can we honor GDPR’s principals of data minimization, keeping only the data we need for the minimum amount of time we need it?

The best practice for dealing with personal data

AOMEI supports several GDPR compliance best practices and product features designed to help its partners and their customers (businesses that serve as controllers of EU citizens’ personal data) to honor this obligation:

1.When possible, the controller should organize backups so that each data subject gets a separate backup archive for personal data.

1）This is an ideal solution because it enables the granular deletion of personal data without affecting the records of other users.

2）Unfortunately, this approach is likely to be impractical for many businesses to implement, as an individual’s personal data is often scattered across multiple applications, locations, storage devices, andbackups.

2.Backup archives should always be stored using strong encryption. That way, even if a backup archive with personal data awaiting deletion were stolen, the thieves couldn’t use it.

3.When individuals request the erasure of their personal data, controllers should be transparent with them about what will happen to the backups:

1）Primary instances of their data in production systems will be erased with all due speed

2）Their personal data may reside in backup archives that must be retained for a longer period of time – either because it is impractical to isolate individual personal data within the archive, or because the controller is required to retain data longer for contractual, legal or compliance reasons.

3）The individual can be assured that their personal data will not be restored back to production systems (except in certain rare instances, e.g., the need to recover from a natural disaster or serious security breach). In such cases, the user’s personal data may be restored from backups, but the controller will take the necessary steps to honor the initial request and erase the primary instance of the data again.

4）Backup archives containing personal data will be protected with strong encryption, so that even if criminals were able to steal the archive, its contents would remain useless to them.

5）Retention rules have been put in place so that personal data in backup archives is retained for as short a time as necessary before being automatically deleted.

6）Records of all data subject requests regarding their personal data will be retained, as will audit logs that record all activities on backup archives containing personal data. This means that the user can be confident that their personal data has been backed up in accordance with GDPR principles of security by design and by default, as well as data minimization, and that their rights, including the right to be forgotten, have been honored.

How AOMEI honors the right to be forgotten when we are the controller of personal data

AOMEI does not collect personal data, we just collect user backups and disk partitions scenarios. AOMEI will honor the rights of all data subjects regarding their personal data, including the right to be forgotten, when the data is no longer needed for its original purpose or the user withdraws their consent. If the customer asks him or her to be forgotten, AOMEI will delete their personal data from our production system within 30 days (e.g. name, surname, mailing address, telephone number).

We will delete backup copies of that personal data from our archives as soon as is practically possible, to the extent allowed by our other data retention obligations. As soon as those obligations have been fulfilled, we will permanently delete those archives as quickly as possible.

AOMEI is willing to keep the audit log and record the history of all operations of the customer's personal data during legal obligations. In a word, AOMEI will always take reasonable steps to ensure the safety of all personal data and cannot access unauthorized individuals.

The ending

Any organization that holds or uses data on people inside the European Union is subject to the new rules, regardless of where is it based. GDPR will greatly change the rights of data subjects and how to process data. Does your company have a strategy to avoid breaking new rules? The best way to avoid potential violations and the resulting high fines is to follow the same general GDPR principle, which is what we need to do:

1.Take reasonable measures to ensure the safety of backup files and prevent snooping.

2.Don’t hold onto archives any longer than you absolutely have to.

3.Record and backup files on policies, procedures and actual operation, so you can prove your behavior is well-intentioned, to respect the data subject to the rights of personal data stored in the backup.

4.Be transparent with users about why their personal data in backups might be kept around longer, how you will keep it safe until it can be deleted, and when its eventual deletion will occur.

With GDPR, enterprises will no longer be able to rely on the withdrawal process or implicit consent.In the eyes of the law, users' inaction does not mean agreeing to their data being captured.

About AOMEI

AOMEI - the easiest backup keeps data safer, is an up-and-coming software company founded in 2009. AOMEI is a freeware-based company, striving to make 81% of the users free to use their products. With professional and reliable support service, AOMEI products are favored by users around the world. Today AOMEI solutions are available worldwide through a global network of service providers, distributors and resellers. AOMEI continued to grow and develop while bearing in mind their mission - Always Keep Global Data Safer, and strive to let billion of users benefit from AOMEI Products, and make AOMEI become the industry benchmark.