AuditRubric
pr-ds-3 medium Protect / Data Security

Data are destroyed according to policy when no longer needed

Data you no longer need is still a liability. Every old customer record, decommissioned backup, or abandoned S3 bucket is data that can be breached, surfaced in a legal discovery, or used to violate privacy regulations. A data destruction policy converts retained-but-unneeded data from a passive risk into a managed, shrinking one.

Estimated effort: 3h
data-destructionretentiondisposalgdprprivacy

Implementation steps

  1. 1

    Define data retention periods by data type

    Document how long each type of data must be kept (driven by legal requirements, regulatory obligations, and business needs) and when it must be deleted. For example: financial records for seven years, customer PII for the duration of the relationship plus one year, application logs for 90 days. Shorter retention periods mean less data at risk.

    confluencenotion
  2. 2

    Implement automated deletion where possible

    Configure retention policies in your data stores to automatically purge data after the retention period: object lifecycle rules in S3 or GCS, database retention jobs, log retention settings in your SIEM. Automated deletion is more reliable than manual processes and does not require someone to remember to run a script.

    aws-s3gcsdatadogsplunkbigquery
  3. 3

    Define and follow a secure media and device disposal process

    When hardware is decommissioned, define how data on it is destroyed: full-disk encryption before disposal, cryptographic erasure, physical destruction of drives for highly sensitive data. Use NIST 800-88 guidelines as a reference. Document disposal of sensitive-data devices so you have a record if a device is ever traced back to a breach.

Evidence required

Data retention and destruction policy

A written policy defining how long each data type is retained and how it must be destroyed at end of life.

  • · Data retention policy with retention periods by data category
  • · Records management schedule referenced in the privacy policy
  • · Policy document covering both digital data and physical media disposal

Automated retention configuration or disposal records

Evidence that data retention policies are being enforced, either through automation or documented manual processes.

  • · S3 lifecycle rule configuration showing automatic deletion after retention period
  • · Database retention job logs showing data purging
  • · Hardware disposal records with destruction method and date

Related controls

pr-ps-3 medium

Data are destroyed according to policy when platforms or storage media are decommissioned

Platform Security
pr-ds-1 critical

The confidentiality, integrity, and availability of data-at-rest are protected

Data Security
pr-ds-2 critical

The confidentiality, integrity, and availability of data-in-transit are protected

Data Security
pr-ds-4 critical

Backups of data are created, protected, maintained, and tested

Data Security