If you are storing backups for longer than this then perhaps you have to ask yourself why.
For instance, the last company I worked for deliberately didn't keep database backups past 30 days and had that policy for some years prior to GDPR. The idea being that it would be expected by a user that when they hit "delete" on something in the web app it would actually be deleted.
(Additionally there is a whole minefield of crap that could happen if you got subpoenaed and had to due process on months or years worth of backup data, but this wasn't the primary driver of the policy)
