Backups are not just a technical safeguard — they are a legal obligation. For UK businesses processing personal data, GDPR Article 32 explicitly requires the ability to "restore the availability and access to personal data in a timely manner in the event of a physical or technical incident." This means your backup system is not simply an operational convenience; it is a compliance requirement that the ICO will examine if your business suffers a data breach or loss event.
Yet many UK organisations treat backups as a purely technical function, managed by IT without reference to legal, compliance, or regulatory requirements. The result is backup systems that may protect against hardware failure but fail to meet the specific demands of GDPR, industry regulations, or contractual obligations — leaving the organisation exposed to regulatory fines, contractual penalties, and reputational damage.
This guide examines the compliance landscape for business backups in the UK, covering GDPR requirements, industry-specific regulations, practical implementation strategies, and the documentation and testing regimes necessary to demonstrate compliance to regulators and auditors.
GDPR Backup Requirements
The UK GDPR (retained in UK law following Brexit) imposes several specific requirements that directly affect how you design, implement, and manage your backup systems. Understanding these requirements is essential for any organisation that processes personal data — which, in practice, means virtually every UK business.
Availability and Resilience
Article 32(1)(b) requires "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services." Your backup system is your primary mechanism for ensuring availability and resilience. If your systems fail — whether through hardware failure, ransomware, human error, or natural disaster — your backups must enable you to restore services within a timeframe that is proportionate to the risk.
Timely Restoration
Article 32(1)(c) requires "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident." The phrase "timely manner" is deliberately open to interpretation, as what constitutes "timely" depends on the nature of the data and the impact of its unavailability. However, the ICO's guidance makes clear that you must have a documented and tested process for restoration, and that the restoration timeframe should be defined in advance, not determined on an ad-hoc basis during a crisis.
| GDPR Article | Requirement | Backup Implication | Evidence Needed |
|---|---|---|---|
| Article 5(1)(f) | Integrity and confidentiality | Backups must be encrypted and access-controlled | Encryption certificates, access logs |
| Article 17 | Right to erasure | Deletion requests must propagate to backups | Erasure procedures, retention policies |
| Article 32(1)(b) | Availability and resilience | Backups must ensure data can be recovered | Backup schedules, success logs |
| Article 32(1)(c) | Timely restoration | Defined and tested RTO/RPO | Recovery test reports |
| Article 32(1)(d) | Regular testing | Backup recovery must be tested periodically | Test schedules, results documentation |
| Article 33 | Breach notification | Backup status affects breach severity assessment | Incident response procedures |
The Right to Erasure Challenge
Article 17 — the right to erasure, commonly known as the "right to be forgotten" — creates a particular challenge for backup systems. When a data subject exercises their right to erasure, you must delete their personal data from all systems, including backups. However, selectively deleting individual records from backup archives is technically impractical with most backup solutions, as backups are typically stored as monolithic images rather than individually addressable records.
The ICO's pragmatic position is that you do not need to delete data from backup archives immediately, provided you have a process to ensure that when a backup is restored, the erasure is re-applied. You must also ensure that backup retention periods are not excessive — holding backups indefinitely means personal data persists indefinitely, which is unlikely to be compatible with your data retention policy or the GDPR's storage limitation principle.
Your backup retention period must be justified and documented. Keeping 12 months of daily backups may be technically convenient, but can you justify retaining personal data in backup form for that long? The ICO expects organisations to balance the operational need for backup retention against the data minimisation principle. For most UK SMEs, a retention policy of 30 days for daily backups, 90 days for weekly backups, and 12 months for monthly backups provides a reasonable balance — but this must be documented in your data protection impact assessment and reviewed annually.
Industry-Specific Requirements
Beyond GDPR, certain UK industries impose additional backup and data retention requirements that must be considered in your backup strategy.
Financial services firms regulated by the FCA must comply with SYSC 13 (operational risk management) and MiFID II record-keeping requirements, which mandate retention of certain records for five to seven years. Your backup system must support these extended retention periods while maintaining data integrity and accessibility.
Healthcare organisations handling NHS patient data must comply with the NHS Data Security and Protection Toolkit, which includes specific requirements for backup encryption, geographic data residency (data must remain in the UK), and tested recovery procedures. The toolkit requires annual evidence that backup recovery has been tested successfully.
Legal firms must retain client files in accordance with the SRA (Solicitors Regulation Authority) requirements, which specify different retention periods for different types of legal matter — ranging from six years for general files to fifteen years for matters involving minors. Backup systems must accommodate these granular retention requirements.
Compliant Backup Strategy
- Documented backup policy aligned to GDPR
- Defined and tested RTO and RPO
- Encryption at rest and in transit (AES-256)
- UK-based storage for personal data backups
- Regular recovery testing (at least quarterly)
- Documented retention periods with justification
- Erasure procedures for right-to-be-forgotten
- Access controls and audit logging
Non-Compliant Backup Approach
- No documented backup policy
- No defined recovery objectives
- Unencrypted backup media or transfers
- Storage outside UK with no legal basis
- Recovery never tested or verified
- Indefinite retention with no review
- No process for data subject erasure requests
- No access controls or audit trail
Testing and Documentation
GDPR Article 32(1)(d) requires "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing." This means backup recovery testing is not optional — it is a legal requirement. The ICO will expect evidence that you test your backups regularly and that these tests confirm your ability to restore data within your stated timeframes.
A compliant testing regime should include automated daily verification that backup jobs completed successfully, monthly test restores of individual files and folders to verify data integrity, quarterly full system recovery tests to verify your ability to restore entire servers or environments, and annual disaster recovery exercises that simulate a realistic failure scenario and measure your actual recovery time against your stated RTO.
Every test must be documented. The documentation should record what was tested, when, by whom, the outcome (success or failure), the time taken to restore, and any issues encountered. This documentation serves as your evidence of compliance and is exactly what the ICO will request in the event of an investigation. A well-maintained testing log demonstrates that your organisation takes data protection seriously and has implemented appropriate technical measures — which can significantly influence the ICO's response to any incident.
Backup compliance is not glamorous, and it rarely gets attention until something goes wrong. But for UK businesses processing personal data, it is a non-negotiable aspect of your GDPR compliance programme. The investment in proper backup procedures, testing, and documentation is a fraction of the cost of a regulatory fine or the reputational damage of an unrecoverable data loss.
Is Your Backup Strategy Compliant?
Cloudswitched provides GDPR-compliant backup solutions for UK businesses, including encrypted cloud backup, regular recovery testing, and full documentation for regulatory compliance. Get in touch for a free backup compliance assessment.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.