Where cloud deduplication helps and where it does not

Business owner at a desk comparing a printed invoice with figures on a laptop screen
TL;DR

Cloud deduplication cuts backup storage and transfer costs by storing identical blocks of data once. It works best on frequent backups of repetitive data such as server images, databases, documents and email, where savings of 50 to 80 per cent are commonly reported. It offers little for compressed media or encrypted archives, adds restore complexity worth testing, and leaves UK GDPR retention and deletion duties exactly where they were.

Key takeaways

- Cloud deduplication stores identical blocks of data once, so frequent backups of repetitive workloads such as server images, databases, documents and email can shrink storage use by 50 to 80 per cent in smaller firms. - The savings depend entirely on redundancy. Compressed media, encrypted archives and unique creative files deduplicate poorly, and very small data volumes rarely justify the tuning effort. - Deduplication arrives inside your backup product as a configuration setting, usually on by default, rather than as something you buy separately. SaaS platforms already optimise their own storage internally. - Deduplicated backups still contain personal data, so UK GDPR retention, deletion and subject access duties apply unchanged. Cheap storage never justifies keeping data beyond policy. - Before changing anything, map your data by type, run your backup vendor's cost calculator with deduplication on and off, enable it where data repeats, and time a real restore from a deduplicated backup.

The cloud backup bill has doubled again. Eighteen months ago it was small enough to ignore, then daily snapshots and a year of retained versions crept in, and now it sits on the management accounts as a line someone has to explain. When the backup vendor’s answer is deduplication, with claims of up to 95 per cent storage savings, the reasonable question is whether that number is real or a brochure figure. The honest answer is both. Deduplication delivers dramatic savings under specific conditions, and close to nothing outside them. Knowing which side of that line your business sits on is worth twenty minutes of your attention.

What is cloud deduplication?

Cloud deduplication is a storage technique that spots identical chunks of data and keeps only one physical copy. Backup software breaks files into blocks, fingerprints each block, and stores a reference instead of a duplicate whenever a fingerprint matches one it already holds. Ten nightly backups of a largely unchanged server can therefore share one set of underlying blocks rather than existing as ten full copies.

The savings build over time rather than arriving on day one. The first backups are full of blocks the system has never seen, so early runs store almost everything and the ratios look disappointing. Once a baseline exists, each new backup adds only genuinely new blocks, and both storage growth and transfer volumes fall away. Community guidance from Commvault describes exactly this pattern, slow seeding first, then markedly better throughput once the destination has baselined the source.

Two things defeat it. Compressed files, such as video, JPEG images and ZIP archives, have already had their internal repetition squeezed out, so their blocks look unique to the fingerprinting engine. Encrypted data goes further, because good encryption is designed to look random, and identical files encrypted separately may share no blocks at all. This is why serious backup products deduplicate first and encrypt afterwards, inside the product, a design detail worth confirming with your vendor.

Why does it matter for your business?

The case is cost. Where data is repetitive and backed up frequently, deduplication can shrink stored volumes dramatically. Large environments report ratios of 10:1 to 30:1, and guidance aimed at smaller firms suggests deduplication and compression together commonly cut storage use by 50 to 80 per cent. That flows straight through to your monthly cloud bill and your backup bandwidth.

The most vivid published example comes from Commvault’s CoStar case study. Consolidating onto one deduplicating backup platform took 11.2 petabytes of source data down to around 2 petabytes on disk, a five-fold global reduction and ten-fold on SQL databases, while backup success rates climbed from roughly 55 per cent to 97 per cent and recovery times fell from 24 hours to one. Your firm is a fraction of that scale, but the mechanism scales down. Nightly images of workstations and daily copies of a slowly changing database are exactly the repetitive workloads deduplication was built for.

There is a second benefit beyond the bill. Because each additional backup costs little once the baseline exists, you can afford to back up more often, which tightens how much work you would lose in an incident. A caution rides alongside the savings, though. Cheap retention makes it tempting to keep everything forever, and the ICO’s storage limitation principle points the other way. Deduplicated backups still contain personal data, deletion requests still reach into them, and keeping data simply because storage is cheap is a liability rather than a policy.

Where will you actually meet it?

You will meet deduplication inside backup products, not as something you buy separately. Vendors such as Veeam, Commvault and HPE build it into their backup software, usually switched on by default, with settings per backup set. Cloud providers also run their own storage optimisation behind the scenes, which is invisible to you and beyond your control either way.

In practice the decision shows up as configuration rather than procurement. Backup products expose deduplication per client or per backup set, sometimes with modes tuned for slow networks or fast disks. HPE quotes space savings of up to 95 per cent on suitable workloads for its deduplicating storage, and similar claims run through Veeam and Commvault material, always with the same caveat about data type.

One distinction saves confusion. If your files live in Microsoft 365 or Google Workspace, the provider already optimises its own storage and there is nothing for you to switch on. Your opportunity sits in whatever backup you run of that SaaS data, and in your own servers and machines. Removing duplicate customer records from a CRM is a different job again, done at the application level for data quality rather than storage cost.

When should you ask about it, and when should you ignore it?

Ask about deduplication when your backups are frequent snapshots of repetitive data, server images, databases, document stores and email. Ignore it, or leave the defaults alone, when your data is mostly compressed media or encrypted archives, when your total volume is a few hundred gigabytes, or when nobody in the firm has time to test that restores still work.

The counterexamples matter as much as the wins. A production company whose archive is unique, heavily compressed video will see little benefit, and would do better spending the same effort moving old projects into cheaper archive tiers. A five-person consultancy with a few hundred gigabytes of documents has so little at stake that tuning deduplication is a distraction, and defaults will do. Any firm in a regulated corner, an IFA or an insurance broker for instance, should check that deduplicated tiers still meet evidential and record-keeping expectations before leaning on them.

Two questions belong in any vendor conversation. First, does the product deduplicate before it encrypts, because the reverse order wipes out the benefit. Second, what happens if you leave, since proprietary deduplication formats can make migrating years of backups to another provider slow and expensive, the kind of switching barrier the Competition and Markets Authority has flagged in its cloud market work.

The Monday move is modest. List your data by type, roughly how much of each and how often it changes. Run your backup vendor’s cost calculator with deduplication on and off across a couple of retention settings. Enable it where the repetitive data lives, leave the media archive alone, and then restore something real from a deduplicated backup and time it. Restores rebuild files from shared blocks, so they can run slower than reading a plain copy, and the moment to discover that is a test, never an incident.

Four ideas sit next to deduplication and are worth keeping straight. Compression shrinks individual files. Incremental backup copies only what changed since the last run. Recovery time and recovery point objectives describe how fast you need to be back and how much loss you can accept. And retention policy governs how long any of it is kept.

Compression pairs naturally with deduplication, and order matters, deduplicate first, then compress what remains, because compressing first hides the repetition the fingerprinting relies on. Incremental backup achieves a related saving by copying only changed files, though deduplication works at a finer grain and across machines. Recovery objectives deserve an agreed number each, settled before an incident rather than during one. Retention policy is where the governance lives, since deduplication changes what storage costs, while your retention duties under UK GDPR stay exactly as they were.

Deduplication earns its place in owner-managed businesses whose backups repeat, and it earns nothing in businesses whose data resists it. If your cloud backup bill is climbing and your workloads are documents, databases and machine images, the savings are real and the effort to claim them is a configuration session and a test restore. If your world is compressed media, tiny volumes, or a team with no slack to manage another moving part, take the simpler setup and pay the modest premium for predictability.

Sources

- National Cyber Security Centre. The cloud security principles. UK guidance on what to expect from cloud providers, including support for meeting data protection responsibilities. https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles - Information Commissioner's Office. Assessment for small business owners and sole traders. Self-assessment checklist covering retention, secure storage and handling deletion requests. https://ico.org.uk/for-organisations/advice-for-small-organisations/getting-started-with-gdpr/assessment-for-small-business-owners-and-sole-traders/ - Information Commissioner's Office. Guide to the UK GDPR, storage limitation principle. The rule that personal data is kept no longer than necessary, backups included. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/storage-limitation/ - SNIA (2008). Understanding Data Deduplication Ratios. Standards-body primer on how deduplication ratios arise and why they vary by dataset. https://www.snia.org/sites/default/files/Understanding_Data_Deduplication_Ratios-20080718.pdf - Competition and Markets Authority (2023). CMA consults on concerns in cloud services market. UK regulator's findings on egress fees and technical barriers to switching cloud providers. https://www.gov.uk/government/news/cma-consults-on-concerns-in-cloud-services-market - HPE. What is data deduplication? Vendor explainer citing space savings of up to 95 per cent on highly duplicated workloads. https://www.hpe.com/uk/en/what-is/data-deduplication.html - Commvault. CoStar case study. Documented reduction of 11.2 petabytes to around 2 petabytes on disk, with backup success rates rising from 55 to 97 per cent. https://www.commvault.com/resources/case-studies/case-study-costar - Veeam. Controlling cloud backup costs. Breakdown of cloud backup spend across storage tiers, retention, compute and data movement, with archive tiers cutting costs by up to 70 per cent. https://www.veeam.com/blog/controlling-cloud-backup-costs.html - Hystax. Deduplication vs compression for data storage. Explains why deduplication should run before compression and why compressed data deduplicates poorly. https://hystax.com/optimizing-data-storage-deduplication-vs-compression/

Frequently asked questions

Does cloud deduplication actually save money for a smaller firm?

Where backups run frequently over repetitive data, yes. Guidance aimed at smaller businesses commonly reports 50 to 80 per cent storage reductions from deduplication and compression together, and large environments report ratios of 10:1 to 30:1. The savings shrink sharply if your data is mainly compressed media or encrypted archives, or if your total volume is only a few hundred gigabytes. Run your backup vendor's calculator with the feature on and off before assuming either way.

Does deduplication affect how quickly I can restore after an incident?

It can. Restores from deduplicated storage rebuild files from shared blocks scattered across the repository, which can run slower than reading a plain copy. Well-engineered products manage this, but the only way to know your real numbers is to restore something meaningful from a deduplicated backup and time it. Do that as a scheduled test, and repeat it whenever retention or configuration changes, so an incident never becomes the first measurement.

Does deduplication help me meet GDPR data minimisation duties?

Not on its own. Deduplication reduces the physical storage behind your backups, but every backup still logically contains the personal data it always did. The ICO's storage limitation principle still requires defined retention periods, and deletion requests still reach into backups. Treat deduplication as a cost tool and keep retention and deletion policies as separate, documented decisions, otherwise cheap storage tempts you into holding data longer than the law allows.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation