Retention and Destruction
Develop and implement controls to verify that personal data is not retained beyond the time specified in retention policies. Destroy data media (all forms — paper, digital, etc.) at the end of the data's life-cycle and ensure that obsolete (or deleted) personal data is not inappropriately restored.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Retention and Destruction at each level of maturity.
- 1Initial
- Practice
- Design and implement appropriate personal data retention policies.
- Outcome
- Specification, procurement or management tends to be department choice or ad hoc.
- Practice
- Destroy data media (inclusive of paper and digitized data) where the media is at its lifecycle end.
- Outcome
- Processes to identify personal data are defined and in use in IT and some business units.
- Metric
- # fields identified as personal data or personal sensitive data.
- Practice
- Destroy or anonymize all personal data as soon as its retention is no longer necessary for the specified purposes.
- Outcome
- IT and business units work on jointly developing data, classification guidelines for all personal and sensitive personal data assets.
- Metric
- # fields identified as personal data or personal sensitive data.
- 2Basic
- Practice
- Design and implement appropriate personal data retention policies.
- Outcome
- Data protection and security classification guidelines are implemented and regularly improved enterprise-wide.
- Metric
- # fields identified as personal data or personal sensitive data.
- Practice
- Destroy data media (inclusive of paper and digitized data) where the media is at its lifecycle end.
- Outcome
- Data protection and security classification guidelines are optimized for various data lifecycles.
- Metric
- Frequency at which personal data is assessed classification and purpose.
- Practice
- Destroy or anonymize all personal data as soon as its retention is no longer necessary for the specified purposes.
- Outcome
- Use (if any) of information lifecycles is ad hoc.
- 3Intermediate
- Practice
- Design and implement appropriate personal data retention policies.
- Outcome
- Some business information lifecycles have been developed and are in use at process and/or function level and identify personal and sensitive personal information.
- Metric
- % Personal data addressed using life-cycle management approaches.
- Practice
- Destroy data media (inclusive of paper and digitized data) where the media is at its lifecycle end.
- Outcome
- Lifecycles are defined for all personal and sensitive personal data and in use across the enterprise.
- Metric
- % Personal data addressed using life-cycle management approaches.
- Practice
- Destroy or anonymize all personal data as soon as its retention is no longer necessary for the specified purposes.
- Outcome
- A multi-lifecycle management capability is supported across the enterprise and support audit.
- Metric
- % Personal data addressed using life-cycle management approaches.
- 4Advanced
- Practice
- Design and implement appropriate personal data retention policies.
- Outcome
- The lifecycles are used across the extended enterprise and are adaptive and self-auditing.
- Metric
- Frequency of review of personal data life cycles.
- Practice
- Destroy data media (inclusive of paper and digitized data) where the media is at its lifecycle end.
- Outcome
- Specification, procurement or management tends to be department choice or ad hoc.
- Practice
- Destroy or anonymize all personal data as soon as its retention is no longer necessary for the specified purposes.
- Outcome
- Available data protection toolsets and existing solutions are effectively and efficiently used.
- Metric
- % Staff provided training on the need for and the use of data protection tools and aids.
- 5Optimized
- Practice
- Design and implement appropriate personal data retention policies.
- Outcome
- IT and some business units are agreed on the automation levels, tooling, resourcing, and management of security resources.
- Metric
- % Staff provided training on the need for and the use of data protection tools and aids.
- Practice
- Destroy data media (inclusive of paper and digitized data) where the media is at its lifecycle end.
- Outcome
- Monitoring is highly automated via standard toolsets and resources are actively managed to improve security and data protection services across the enterprise.
- Metric
- % Staff provided training on the need for and the use of data protection tools and aids.
- Practice
- Destroy or anonymize all personal data as soon as its retention is no longer necessary for the specified purposes.
- Outcome
- The specification, procurement, and management of data protection and security tools and resources are continuously reviewed and improved as necessary across the business ecosystem.
- Metric
- % tools that are benchmarked against data protection best practice.