graphgrc

SCF - PRI-05 - Personal Data Retention & Disposal

Mechanisms exist to:

• Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;
• Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and
• Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).

  Mapped framework controls

  GDPR

• Art 18.1
• Art 18.2
• Art 21.1
• Art 21.2
• Art 21.3
• Art 5.1

ISO 27002

• A.5.33
• A.8.10

NIST 800-53

• SI-12

SOC 2

• C1.2
• CC6.5
• P4.0
• P4.2
• P4.3

Control questions

Does the organization:

• Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;
• Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and
• Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records)?

This site is open source. Improve this page.