I have discussed this with some GDPR compliancy lawyers, and I believe it is yet to be decided whether the GDPR will actually require you to delete historic images, or if you just need to ensure that data is "offline" to the public and/or internal users.
I don´t think anyone is yet sure how the GDPR will be interpreted in real life, and what the real-life requirements will be. With tapes it´s even more of a question, will the GDPR actually require you to physically overwrite the images on the tapes after expiring the image, or is it enough to just expire metadata from the catalog, i.e. no need to touch the tape, and actually less work for NetBackup compared to a disk-solution.
As also stated, deleting the entire image would for most people not be the right solution, as it contains tons of other files that does not require deletion, so if this the way forward, we would need to restore the image, delete data and re-backup the data :-)
Let´s all cross our fingers that over the next 2 years we will get a clear indication of how to interpret these rules, and that someone with just a little bit of technical indsight can make it clear to the suits, that we need a realistic interpretation.