CISOBot - Your AI CISO Assistant

PRI-05

Personal Data (PD) Retention & Disposal

Weight: 8/10

Description

Mechanisms exist to: (1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; (2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and (3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).

Control Question

Does the organization: (1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; (2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and (3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records)?

Control Metadata

Domain:

Data Privacy

Validation Cadence:

Annual

Evidence Request List:

E-AST-11 E-PRI-02

Framework Mappings

This control maps to the following compliance frameworks

MAS TRM

11.1.7

HKIA GL20

3.13.23.33.4

Have questions about this control?

Ask CISOBot for implementation guidance and best practices