Do you have a mechanism to delete customer personal data upon verified request?

Explanation & Context

Explanation of the Question:

This question is asking whether your organization has a process in place to remove personal data of customers when they formally request it. Personal data can include names, email addresses, physical addresses, and any other information that can be used to identify an individual. The request must be verified to ensure it is legitimate, meaning you need to confirm the identity of the person making the request to prevent unauthorized deletions.

Why It Matters:

Having a mechanism to delete personal data upon request is crucial for several reasons. First, it helps build trust with your customers by showing that you respect their privacy and give them control over their data. Second, many data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe, require organizations to provide this capability. Non-compliance can result in significant fines and legal repercussions. Finally, it reduces the risk of data breaches, as less stored data means there is less sensitive information that could be exposed if a breach occurs.

Example of Evidence:

To demonstrate that you have this mechanism in place, you might provide documentation of your data deletion policy, including the steps taken to verify a deletion request and the technical processes used to remove the data from your systems. For instance, you could show logs of deletion requests, confirmation that the data was removed from all databases and backups, and any notifications sent to the customer confirming the deletion.

Example Responses

Example Response 1

We utilize a dedicated data deletion API endpoint within our Heroku-hosted application to facilitate the removal of customer personal data upon verified request. This process includes identity verification through a secure token sent to the customer's registered email, followed by immediate deletion of the data from our primary database and all associated backups.

Example Response 2

Our AWS-hosted infrastructure incorporates a comprehensive data deletion workflow that is triggered upon receipt of a verified customer request. This involves automated scripts that remove personal data from our RDS databases, S3 buckets, and any associated Elasticache instances, with logs maintained for audit purposes and confirmation sent to the customer.

Example Response 3

As our software is deployed on-premises and tailored to each client's specific environment, the mechanism for deleting customer personal data varies by installation. However, we provide detailed guidelines and scripts to our clients to ensure they can comply with data deletion requests in accordance with applicable regulations.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron