I have an actual business, thank you. And I did my homework by talking to a lawyer about it. What I got from this talk is, that most of the stuff that is going around is pure panic mode.

Please, don't take my words as granted but talk to an actual lawyer. You'll probably even find a free session for startups somewhere in your city, at least in Europe.

Ask the regulators. The ICO provide comprehensive guidance documents, a wide range of tools to facilitate compliance and a dedicated helpline for small organisations. They're extremely busy at the moment, but they'll be more than happy to explain your obligations under the GDPR and the best way of achieving compliance.

https://ico.org.uk/for-organisations/guide-to-the-general-da...

https://ico.org.uk/global/contact-us/advice-service-for-smal...

GDPR does not require deleting data from backups.

http://blog.quantum.com/backup-administrators-the-1-advice-t...

"The GDPR is open to interpretation, so we asked an EU Member State supervisory authority (CNIL in France) for clarification. CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it. Organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time (indicate the retention time in your communication with the data subject). Backups should only be used for restoring a technical environment, and data subject personal data should not be processed again after restore (and deleted again)."

I have a radical idea: don't keep that data.

You can still log accesses and aggregate them into statistics, just don't keep the IP addresses. You can still log IP addresses to detect DOS attacks or whatever, just delete the log when you don't need it anymore, after a day or so. There's no need to get backups from glacier, because you know there is no personal data in them.

GDPR does not require you to delete PII from backups. This is a misconception.

You do need to have a documented and implemented backup retention policy and communicate this if you receive a request to delete a user's data.

Backups have an expiration. That should be enough to satisfy the requirement for deletion.

That's only the case if you store personally identifiable information in your logs. IPs don't count as long as you're collecting them for security purposes and don't have a way to identify a person using the IP. Plus, if you rotate out your logs and clean them up regularly, you don't really need to worry about it. (That's what the EU lawyers at my work told us.)

Database backups are only a problem if you save them forever, though it sounds like you are. GDPR generally requires that you regularly archive, rotate out, and clean up old data.