backup-retention-erasure

Installation
SKILL.md

Backup Retention and Erasure Management

Overview

Backup and archive systems present unique challenges for data retention and erasure compliance. Unlike primary systems where individual records can be selectively deleted, backup media typically stores data as monolithic sets that cannot be surgically modified without restoration. When a data subject exercises the right to erasure under GDPR Article 17 or when a retention period expires, the organization must address personal data residing in backups. The technical infeasibility of granular deletion from backups is a recognized limitation, but it does not exempt organizations from their obligations — it requires documented interim measures and eventual deletion through backup rotation or restore-and-delete procedures. This skill provides the operational framework for managing backup data under retention and erasure obligations.

Legal Context

GDPR Recital 66 — Erasure in Online Environments

The right to erasure should extend to cases where the controller has made the personal data public — the controller should take reasonable steps to inform other controllers processing the data. In the backup context, this principle requires that erasure obligations extend to backup copies even when immediate deletion is technically infeasible.

GDPR Article 17(1) — Right to Erasure

The controller shall erase personal data "without undue delay." The EDPB and national DPAs have acknowledged that backup systems may require a longer timeframe, but have not granted an indefinite exception. The expectation is that backup deletion occurs within the next backup rotation cycle.

ICO Guidance on Backup Deletion

Installs
11
GitHub Stars
187
First Seen
May 12, 2026
backup-retention-erasure — mukul975/privacy-data-protection-skills