DATA SAFETY DELETE POLICY

1. Purpose

This policy ensures that all personal and sensitive data is deleted securely and irreversibly when it is no longer required for business, legal, or regulatory purposes.

2. Scope

Applies to all employees, contractors, and systems handling sensitive, confidential, or personally identifiable information (PII) across all departments and third-party vendors.

3. Data Types Covered

• Personally Identifiable Information (PII)
• Payment data (PCI)
• Company confidential data
• Customer and employee records
• System logs and backup data

4. Deletion Methods

Data must be deleted using the following secure methods, depending on the storage medium:

• Digital Storage (e.g., SSDs, HDDs):
  • Overwriting data using secure erase tools (e.g., DoD 5220.22-M)
  • Cryptographic erasure
  • File shredding software

• Physical Media (e.g., USBs, DVDs):
  • Degaussing
  • Physical destruction (shredding, pulverizing)

5. Retention and Deletion Timeline

Data will be retained only for the duration required by business or legal standards, and then deleted according to:

• Legal/Regulatory obligations (e.g., 7 years for financial records)
• Contractual requirements
• Internal data retention schedules

6. Deletion Process

• Identify data for deletion.
• Verify no further retention obligations exist.
• Use approved deletion methods.
• Log the deletion activity (who, when, what).
• Conduct periodic audits to ensure compliance.

7. Exceptions

Data deletion may be delayed if:

• It’s under legal hold or investigation.
• Required by contractual or regulatory mandates.

8. Responsibilities

• IT Department: Execute and monitor data deletion processes.
• Data Protection Officer (DPO): Approve exceptions and ensure policy compliance.
• Employees: Report obsolete data and follow deletion protocols.

9. Policy Review

This policy is reviewed annually or when changes to data protection laws require updates.