No, your backup is not an archive

For years, data backup systems have served as the unsung safety nets of enterprise IT. Built to allow firms to recover from cyber-disasters, they daily captured and stored vast amounts of data, filed away in the assumption that their retention protected organisations from the risk of losing valuable data. But what once worked for operational resilience now poses a growing challenge in the age of privacy GDPR, CPRA, and similar privacy regulations, along with enhanced scrutiny in record-keeping requirements.

As regulations evolve and enforcement strengthens, a fundamental misunderstanding is coming into focus: namely, that backups are another form of archives. They most certainly aren’t, and treating them as such not only creates inefficiencies – it introduces compliance headaches that many organisations aren’t prepared to manage.

Legacy backup strategies are a compliance blind spot

Most privacy regulations enshrine some form of the ‘right to be forgotten,’ requiring organisations to locate and delete an individual’s personal information upon request. But while data may live in CRMs, email systems, SharePoint sites, and cloud drives, it also lives in backups. The problem with that? Traditional backups are not designed to allow for granular data access, let alone targeted deletion. In many cases, the only way to retrieve or alter information within a backup is to restore the entire system, database, or corpus.

This inability to search, retrieve, or selectively erase personal information turns backups into compliance liabilities. Data requests are supposed to be fulfilled within defined timelines, and many companies can’t answer a basic question: how do you find and delete all of a person’s data in your backups?  The same is also true for other corporate records, which have reached the end of a retention period.  Firms that use backups as a retention tool will struggle to delete effectively, run deleting discrete records too early, or end up with overly complicated legal holds in litigation or regulatory inquiries.

The cost of confusion

The risks aren’t just theoretical. Fulfilling a right-to-erasure request when personal information is buried in backup tapes can be prohibitively expensive and time-consuming, with costs running into the thousands. In some cases, organisations keep backup media for a decade or more, compounding exposure.

Some have argued that deletion from backups can be deferred until the data is accessed again. But that raises questions: what counts as ‘access’? A daily backup job? A full system restoration? Without a definitive answer, companies face legal grey areas that create uncertainty – and vulnerability.

Backups vs archives

A core issue at play is that many organisations still conflate backups with archives.

Backups are built for restoration, full-system snapshots meant to recover from failure or a security incident. They’re typically written in proprietary formats, not intended for search or selective editing. Archives, by contrast, are designed for long-term retention, governance, and access. They store individual data objects, like emails or files, in formats that can be searched, audited, and deleted as needed.

Relying on backups as a long-term data management tool is like using a fire extinguisher to water plants: the purpose doesn’t match the need.

Rethinking long-term retention in the privacy and compliance era

To reduce compliance risk, organisations need to separate their disaster recovery strategies from their data retention practices. That means critically assessing where and how personal data is stored, including in legacy systems and offline backups. It also requires an assessment as to whether existing tools support searchability and selective deletion in compliance with regulatory timelines. Companies must also consider how retention schedules are enforced, especially when the data is no longer active but still subject to regulatory scrutiny

A forward-looking strategy should prioritise intelligent archiving; storing data in ways that support granular control, auditability, and defensible deletion. This not only satisfies privacy regulations but also positions organisations to better manage legal, operational, and reputational risks.

Time for a compliance reset

We’re entering a new era of data accountability, one where long-forgotten backups can become sources of real legal exposure. The time is now for CIOs, CISOs, and compliance leaders to scrutinise their backup and archiving strategies, and ask themselves: are we truly in control of our data?

The distinction between backup and archive isn’t academic. It’s foundational to compliance in a privacy-first world.

George Tziahanas is a VP of Compliance at Archive360

Read more: Agentic AI is reshaping the API landscape