AuditRubric
c1-2 High priority Confidentiality / Confidentiality

Confidential information is disposed of securely

Data that is no longer needed but not properly disposed of remains a liability. Customer data retained after contract termination, employee records kept indefinitely, and hard drives discarded without sanitization have all been the source of breaches. This criterion requires that confidential information is disposed of securely when it reaches the end of its required retention period.

10h estimated effort
confidentiality data-retention data-disposal gdpr right-to-erasure
Complete first: c1-1

Implementation steps

  1. 1

    Define a data retention policy

    Document how long different types of data are retained and why. Retention periods should be driven by: legal and regulatory requirements (minimum retention), business need (operational data), and contractual commitments (customer data handling). For customer data, define the retention period after contract termination. The policy should specify both the minimum and maximum retention period.

    confluence notion google-docs
  2. 2

    Implement automated data deletion for expired records

    Where possible, automate data deletion when retention periods expire. Configure S3 lifecycle policies to delete objects after a defined period. Implement database-level deletion for records exceeding retention. For backups, configure retention windows that align to your policy. Manual deletion processes are error-prone and frequently forgotten.

    aws-s3 aws-rds google-cloud-storage terraform
  3. 3

    Handle customer data deletion requests and contract termination

    Define a process for customer data deletion: what happens to customer data when a contract ends or when a customer submits a deletion request under GDPR or CCPA. Document how long you take to complete deletion, what data is deleted vs. retained (e.g., billing records with legal hold), and how you confirm deletion to the customer. Ensure the deletion process covers all copies: production, backups, and third-party processors.

    notion confluence jira

Evidence required

Data retention policy

Documentation specifying data retention periods and disposal requirements.

  • - Data retention policy with retention periods by data type
  • - Privacy policy with data retention section
  • - Data handling procedure with deletion requirements

Data disposal procedures and records

Evidence that data is disposed of per the retention policy.

  • - S3 lifecycle policy configuration showing expiration rules
  • - Database retention configuration or automated deletion job
  • - Customer data deletion request fulfillment records

Related controls

c1-1

Confidential information is identified and protected

Confidentiality