DRPV-06

Do you retain personal information for only as long as necessary to fulfill the stated purpose(s) or as required by law or regulation and thereafter appropriately dispose of such information?

Explanation

This question is asking about your data retention policies and practices for personal information. It's specifically concerned with whether you: 1. Only keep personal information for as long as necessary to fulfill the stated purpose for which it was collected 2. Only keep personal information for as long as required by applicable laws or regulations 3. Properly dispose of personal information after these retention periods expire This question is being asked in a security assessment because proper data retention and disposal practices are fundamental to data privacy and security. Keeping personal data longer than necessary increases risk exposure in case of a breach, may violate privacy regulations like GDPR or CCPA, and could create legal liability. Data minimization (only keeping what you need for as long as you need it) is a core principle in most privacy frameworks and regulations. Proper disposal ensures that data that is no longer needed cannot be compromised. To best answer this question, you should: 1. Describe your formal data retention policy and how it's enforced 2. Explain how retention periods are determined for different types of personal data 3. Detail your data disposal/deletion processes and methods 4. Mention any automated systems that help enforce retention periods 5. Reference specific regulations that influence your retention schedules if applicable 6. Explain how you document compliance with your retention policies

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive Data Retention Policy that strictly governs how long we retain personal information Our policy establishes retention periods based on: (1) the purpose for which the data was collected, (2) applicable legal and regulatory requirements (including GDPR, CCPA, HIPAA, and industry-specific regulations), and (3) contractual obligations We use an automated data lifecycle management system that tags data with retention metadata upon collection and triggers review/deletion workflows when retention periods expire For example, customer transaction data is retained for 7 years to comply with tax regulations, while marketing preferences are only kept for 2 years from last interaction When data reaches end-of-life, it undergoes secure deletion using methods that comply with NIST SP 800-88 guidelines, including cryptographic erasure for cloud storage and certified destruction for physical media Our Data Privacy Office conducts quarterly audits to verify compliance with retention schedules, and we maintain deletion certificates as evidence of proper disposal.

Example Response 2

Yes, we have implemented a structured approach to data retention and disposal Our Data Governance team maintains a data inventory that categorizes all personal information we process and assigns appropriate retention periods based on business need and regulatory requirements For example, employee data is retained according to labor laws in applicable jurisdictions (typically 3-7 years after employment ends), while customer support interactions are retained for 18 months to support service improvement and dispute resolution Our technical infrastructure enforces these retention periods through automated archiving and purging processes When retention periods expire, our system flags the data for review by the relevant data owner, who must approve deletion or provide documented justification for extension Approved deletions are executed using appropriate methods based on storage medium (e.g., database record deletion with transaction logs, secure wiping of backup media) We document all deletion activities and conduct annual compliance reviews of our retention practices Our approach has been reviewed by external privacy counsel and deemed compliant with applicable regulations.

Example Response 3

We don't currently have a formal data retention policy in place While we understand the importance of not keeping data indefinitely, our systems weren't designed with automated retention limits Personal information collected from customers and users is generally kept in our active systems until the customer requests deletion or closes their account We do perform occasional manual cleanups of obviously outdated information, but this is not done according to a defined schedule or process We recognize this as a gap in our privacy practices and are working to develop a comprehensive data retention framework In the meantime, we've started a data mapping initiative to identify what personal information we hold, where it's stored, and how long we've been keeping it We plan to implement proper retention periods and automated disposal mechanisms within the next 12 months as part of our broader privacy program enhancement.

Context

Tab
Privacy
Category
Data Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron