Hi there,
I'm wondering if anyone else in the IT world has thought about the problem with Tessitura (or any personal information) residing on backups.
GDPR as it currently stands suggests that if someone exercises their right to be forgotten their data on backups should also be deleted.
We currently use veeam for our backups and I don't think it is even possible at present to action the above.
I've been searching the web and lots of people are discussing it but no one has an answer. Some people say backups are exempt from the requirement to purge data others say they are included.
What sort of things have you all found out so far about this problem?
Does v14.1 address any of these concerns about retention of personal data in backups/archives?
Thanks
Mike Cornthwaite
ICT Manager
Theatre by the Lake
I was at a presentation here in NYC a few weeks ago about GDPR. Folks were talking about schemes where you encrypt all PII by Individual. And you put a copy of a key in a limited number of locations. The backups with encrypted records hold the data indefinitely. However, if you delete the encryption key, the PII data is useless other than to maintain referential integrity. You still have to keep the keys of each customer somewhere safe. And there have to be backups of that data to some extent. But this was the idea for managing the "Right to be forgotten".
The other thing being discussed is that best practices for all of this are not clear and the primary targets for enforcement are the big FAMGA companies. The point was this was going to be like PCI or maybe the US the Americans with Disabilities Act. Best Practices and enforcement were going to develop over time. The key point was to start and document what you are doing to work toward compliance.
Regarding what the New Tessitura Code does. Is there anyone from the Network Development Staff who can comment?
That sounds like how I envisaged a solution would look. Encrypting each bit of personal data with it's own key would solve the issue of data residing on backups going back years.
I agree it would be good to hear from Tessitura about how they plan to deal with the question about backups since they handle them for RAMP users.
The recent Tessitura European Conference had some sessions on GDPR and I think the overall theme was don't panic about GDPR. You're right in saying the authorities will likely be going after the big bad companies who show wilful disregard for data protection and I suspect a lot of the details will be worked out once some cases have been through court.