In some recent legal policies, such as the European Union's proposed General Data Protection Regulation, the idea of “right to erasure” or “right to be forgotten” proposes that data for a particular entity must be deleted from certain records upon request. For example, past criminal records for an individual may be required by law to be erased from Internet search results after a set period of time. However, identifying and completely removing all relevant data from records may be a difficult process. There may be incomplete information regarding what exact data within a particular backup copy is related to the entity. For example, a backup copy that is created before a right-to-erasure order is executed may not contain detailed information on all data that is relevant to the right-to-erasure order. In addition, with certain data storage methods such as a deduplication process, a subset of data within a backup image may not be able to be deleted without deleting the entire backup image. Thus, when a piece of data or an application is restored, relevant data tied to the entity may be unintentionally reintroduced into the system.
Furthermore, legal measures may require proof of data deletion in connection with right-to-erasure orders for an entity. In such cases as the deduplication example, proving the erasure of records for a single entity among multiple entities in a backup image may be difficult or even impossible. The instant disclosure, therefore, identifies and addresses a need for improved systems and methods for ensuring right-to-erasure compliance.