1

As part of SOC 2 preparation (and just general operational best-practice) we take regular PostgreSQL backups and keep them for up to a year. One of our partners has a requirement that we be able to delete any data sourced from them on request, including from backups. The GDPR right to be forgotten would seem to imply a similar requirement (although from my Googling this seems to be debatable).

It seems impractical and potentially very expensive to load all of the database dumps for the last year, filter out the data, take new dumps, and replace the existing backups. Most of the data in question is stored on Heroku, where we don't have write access to update the backups (although we can delete them on request). Are there systems available to deal with these kinds of requirements? How do other companies deal with this (presumably quite common) requirement?

recurser
  • 11
  • 1
  • This is a legal question. It is off topic here. – mentallurg May 24 '21 at 13:18
  • 1
    I think this is an excellent question, and should be left open. Putting the legal part of it aside, the focus of the question is purely technical, i.e. *what is a practical and effective way of selectively purging data from a series of archived backups?* – mti2935 May 24 '21 at 13:37
  • The GDPR part has an answer on Law: https://law.stackexchange.com/questions/27625/gdpr-compliance-does-it-extend-to-database-backups-and-archived-records – schroeder May 24 '21 at 13:38
  • @mti2935 How to process backups to re-process data is not a security issue. The GDPR aspect is also not a security issue. What is possible technically, depends entirely on the type and method of backups. What systems can do this falls under "product recommendation". – schroeder May 24 '21 at 13:39
  • If you can reasonably reach into the backups to remove the data, then you can do that. If you have off-site tape backups, then no GDPR practitioner expects that you recall all the backups to delete their data. However, none of this applies. You need to work with *the partner* to see what will meet *their* requirements. If the partner expects you to recall your backups tapes (for example), then that's your answer. – schroeder May 24 '21 at 13:42
  • “We keep backups for a year” – why exactly that duration. Are 30 days not sufficient? Note that traceability (who changed what when) cannot be achieved with backups, and disaster recovery might still be achievable with shorter retention periods. “Our partners wants us to delete data” – whether to accommodate that request is a business decision. Is changing your compliance approach worth it? “GDPR” – the right to be forgotten is less absolute than some people think. “Heroku … we don't have access” – why are you using a technology that doesn't meet your requirements? – amon May 24 '21 at 14:11
  • @schroeder I agree, this question spans many subject areas. But, at the heart of data security is the concern of sensitive information falling into the wrong hands or being seen by the wrong eyes. Hence the reason that OP is faced with the requirement to purge data from his archived backups. From that perspective, I feel that this problem is squarely withing the scope of information security. The origin of OP's requirement (be it legal, GDPR, etc.) is not relevant, IMO. – mti2935 May 24 '21 at 14:30
  • @mti2935 the heart of this is not unauthorised disclosure. It's the partner's requirement and how to satisfy that. – schroeder May 24 '21 at 15:11
  • encrypt them each user's data separately and store the key elsewhere. You can delete the key to destroy the data on the backup. You would also need to regularly destroy all backups of the keys. – dandavis May 25 '21 at 08:20

0 Answers0