I want to second and elaborate on the above statement. As I work heavily with backups, this is something that is fraught with a lot of arm-chair analyses, which I will try to avoid, and instead focus on just how the industry has reacted.
For Backups, most vendors have two takes on this, and my hot take is that it's less about legal interpretations and it's how the vendors spin their backup technology features:
1. Vendors that have mutable backups (e.g., the backup archive content can be changed and individual records, file, and other stuff can be edited/removed) finally have a defense against the security risk of mutable backups and now it's a compliance feature
2. Vendors with non-mutable backups (e.g., the backup file itself is still mutable (e.g., no immutable bit), but you cannot remove individual records/entries from it without destroying the backup file itself) have simply developed staging restores that allow for programatic removal of a non-mutable restored machine before performing an actual restore.
The parent mentions the 2nd spin as their second bullet point, and in fact it's pretty simple -- technologies to instant recover backups is pretty common and for virtualization it usually works by mounting the backup files as read-only, then taking a snapshot with a hypervisor, then performing the deletions -- the original data in the backup file is untouched and you can perform the deletions, but the deletions only happen on the snapshot's scope -- so the restored data indeed is free and clear of the deleted data, but the backup file is left alone. Once you're done, just delete the snapshot and unpublish the backup file, and it's like nothing changed.
You can in fact do the same with File based backups as usually there is some backup catalog anyways, and you can just flag items as "DNR" and the software obliges during restores.
"Not within reach" I'm not sure is specifically clarified by any discussion I've seen, but the common interpretation of GDPR is that more restricted access to any personal data (or copy of the data) is required, and that companies have to publish a bit more about how their processing of collected data works.
The industry itself sits pretty comfortably on tons of myths and legends about GDPR and backups, which is sad as GDPR itself really doesn't specifically mention backups, it mentions about personal data that is public and the data collection policies. My hot take is that most companies have purposefully just dragged their feet at best and never stopped doing the stuff that data retention policies were meant to stop, or at worst just decided to annoy users with unnecessary banners and "consent" forms (and indeed, I put full blame for those on the companies -- there's no such requirement to harass and annoy users with a maze of consent options; quite the opposite, they should be able to opt in/out of the consent with ease and without harassment).
For Backups, most vendors have two takes on this, and my hot take is that it's less about legal interpretations and it's how the vendors spin their backup technology features:
1. Vendors that have mutable backups (e.g., the backup archive content can be changed and individual records, file, and other stuff can be edited/removed) finally have a defense against the security risk of mutable backups and now it's a compliance feature
2. Vendors with non-mutable backups (e.g., the backup file itself is still mutable (e.g., no immutable bit), but you cannot remove individual records/entries from it without destroying the backup file itself) have simply developed staging restores that allow for programatic removal of a non-mutable restored machine before performing an actual restore.
The parent mentions the 2nd spin as their second bullet point, and in fact it's pretty simple -- technologies to instant recover backups is pretty common and for virtualization it usually works by mounting the backup files as read-only, then taking a snapshot with a hypervisor, then performing the deletions -- the original data in the backup file is untouched and you can perform the deletions, but the deletions only happen on the snapshot's scope -- so the restored data indeed is free and clear of the deleted data, but the backup file is left alone. Once you're done, just delete the snapshot and unpublish the backup file, and it's like nothing changed.
You can in fact do the same with File based backups as usually there is some backup catalog anyways, and you can just flag items as "DNR" and the software obliges during restores.
"Not within reach" I'm not sure is specifically clarified by any discussion I've seen, but the common interpretation of GDPR is that more restricted access to any personal data (or copy of the data) is required, and that companies have to publish a bit more about how their processing of collected data works.
The industry itself sits pretty comfortably on tons of myths and legends about GDPR and backups, which is sad as GDPR itself really doesn't specifically mention backups, it mentions about personal data that is public and the data collection policies. My hot take is that most companies have purposefully just dragged their feet at best and never stopped doing the stuff that data retention policies were meant to stop, or at worst just decided to annoy users with unnecessary banners and "consent" forms (and indeed, I put full blame for those on the companies -- there's no such requirement to harass and annoy users with a maze of consent options; quite the opposite, they should be able to opt in/out of the consent with ease and without harassment).