Backup with GDPR Compliance for Businesses
Backups are essential for resilience — but EU organisations must ensure backups also meet GDPR requirements. This practical guide shows how to design, operate and audit backup processes that are secure, auditable and aligned with data protection law. Includes retention templates, deletion workflows, encryption guidance, DPA controls and a ready-to-use checklist.
How to configure backup with GDPR compliance
GDPR does not ban backups — it requires lawful processing, limited retention, appropriate security, and the ability to honour data subject rights. Use the controls below when you design or update backup processes.
1. Define a documented retention policy
Retain backups only as long as necessary for documented purposes (business continuity, legal hold, accounting). Your policy should be:
- Mapped to business/legal requirements (tax, contracts, regulatory obligations)
- Tiered by backup frequency and age (daily/weekly/monthly/yearly)
- Clear about retention start (creation date) and expiry/delete triggers
- Reviewed regularly and versioned for audit
Retention examples (practical template)
- Short-term: Daily backups kept 30 days (fast restore for recent loss)
- Medium-term: Weekly backups kept 90 days
- Long-term: Monthly backups kept 12 months
- Archival/Legal hold: Retain copies as legally required (e.g., 6–7 years for accounting) with strict access controls
Note: Tailor these to your sector and legal obligations; include exceptions for legal holds that suspend deletion.
2. Make deletion and erasure realistic
Data subject rights (e.g., right to erasure) create operational complexity for backups. Consider the following options:
- Use searchable metadata to identify personal data in backups so targeted removals are possible where feasible.
- Implement a retention lifecycle where backups older than X are purged automatically.
- Where full immediate deletion is impracticable, document the reason and provide compensating measures (e.g., restricting access, encrypting with customer-specific keys).
- For immutable/append-only backups used against ransomware, combine immutability with a documented legal basis and DPO sign-off for retention length.
3. Keep backup data in compliant locations (data sovereignty)
Ensure geographic placement of backups matches contractual and regulatory requirements. Controls include:
- Data location policies (EU-only, EU+EEA, regional, etc.) with clear defaults
- Documentation of cross-border transfers and appropriate safeguards (SCCs, adequacy decisions)
- Customer-facing options to choose storage location where feasible
See also our Backup for Small Business page for commercial plans and location options.
4. Use strong encryption and key management
Encryption protects data confidentiality in transit and at rest. Key points:
- Use TLS for transport and AES-256 (or equivalent) for at-rest encryption.
- Decide on key management model: provider-managed keys vs. customer-managed keys (bring-your-own-key). Customer key control increases privacy assurances but adds operational overhead.
- Ensure key rotation policies and secure storage of key backups.
- Log and monitor key access; restrict key management to authorised principals only.
5. Limit access and log activity
Least privilege and auditing are essential:
- Apply role-based access control (RBAC) for backup management and restores.
- Use MFA for administrative accounts and monitor privileged actions.
- Maintain immutable audit logs of restore, delete and key operations and retain logs according to your retention policy.
6. Use clear processor controls and a DPA
If you use a managed backup provider, ensure contractual controls via a Data Processing Agreement (DPA): scope, subprocessors, security measures, audit rights, international transfers and breach notification timelines. You can review AgooCloud’s DPA here: Data Processing Agreement (DPA).
7. Regularly test restores and deletion procedures
Backups are only useful if they can be restored reliably. Institute a testing cadence and document results:
- Run automated restore drills quarterly for critical systems and annually for full disaster recovery tests.
- Include verification of integrity, timeliness and access permissions during tests.
- Test deletion/removal workflows when responding to erasure requests to ensure they behave as intended and are auditable.
8. Maintain records and DPIAs where needed
Keep processing records that document backup purposes, retention, locations and safeguards. Perform a Data Protection Impact Assessment (DPIA) if backups involve large-scale processing of special categories of personal data or new technologies. See our DPA and Privacy Policy pages for how AgooCloud meets these obligations: Privacy Policy • Terms & Conditions.
Practical configuration checklist
- Documented retention policy (with tiers and review dates)
- Backup location policy and transfer safeguards
- Encryption in transit and at rest; decision on key ownership
- RBAC + MFA + privileged access monitoring
- Immutable audit logs for restore and delete operations
- Quarterly restore tests and documented outcomes
- Contractual DPA with subprocessors and audit rights
- Procedure to handle data subject erasure/portability requests affecting backups
Learn about commercial options and plans on our Backup for Small Business and Backup for Individuals pages.
When to involve legal or your DPO
Escalate to legal/DPO when:
- Retention exceeds standard business needs or you plan immutability beyond typical disaster recovery horizons.
- Backups include special-category personal data at scale.
- You propose cross-border transfers without clear safeguards.
- There is a high-risk new project (consider DPIA).
For customers evaluating supplier controls, our DPA is available here: https://agoocloud.com/data-processing-agreement-dpa/
Further reading and external guidance
- European Data Protection Board (EDPB) — GDPR guidance
- ENISA — ransomware and backup guidance
- ICO (UK) — guidance on data protection and backups
- NIST — security best practices (US)
FAQ
How long should backups be kept under GDPR?
GDPR requires that personal data be kept no longer than necessary for the purpose. Use a tiered policy with clear justifications — e.g., 30 days (daily), 90 days (weekly), 12 months (monthly), and longer only when legally required. Document exceptions and legal holds.
Can backups be stored outside the EU?
Yes, but you must ensure a lawful transfer (adequacy decision, SCCs, or other legal basis). Document transfers in your records and include them in your DPA.
Is encryption alone enough to make backups GDPR-compliant?
Encryption is a key security measure but not sufficient by itself. GDPR also requires lawful processing, limited retention, access controls, logs, and procedures for data subject rights. Encryption reduces risk and evidence of appropriate safeguards but should be combined with operational and contractual controls.
How should I handle data deletion requests affecting backups?
Attempt targeted deletions where feasible. If immediate deletion is impracticable (e.g., immutable backups), document the limitation, restrict access, and delete when retention expires. Communicate clearly with the requester and log actions taken.
What should a DPA include for backup providers?
Key DPA clauses: processing subject and duration, categories of data, security measures, subprocessors and authorisation, international transfers, return/deletion procedures, and audit/cooperation rights. See AgooCloud’s DPA: Data Processing Agreement.