SCF - PRI-05 - Personal Data Retention & Disposal

Mechanisms exist to:

Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;
Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and
Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).

Mapped framework controls

GDPR

ISO 27002

NIST 800-53

SI-12

SOC 2

Control questions

Does the organization:

Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;
Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and
Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records)?