SOC 2 Disposing Personal Information (P4.3)

Overview:
The entity securely disposes of personal information to meet the entity’s objectives related to privacy.

Action Items:
1) Create a data retention and disposal policy and related procedures and publish on the company intranet for employees to access and review.
2) Inspect the data retention and disposal policy to determine that documented data retention and disposal policies are in place to guide personnel on the procedures for retention and disposal of confidential information.
3) Observe the user account portal, as applicable to the entity, to determine that the user account interface includes the ability to dispose of account data.

Related Documents:
1) Data retention and disposal policy

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Captures, Identifies, and Flags Requests for Deletion—Requests for deletion of personal information are captured, and information related to the requests is identified and flagged for destruction to meet the entity's objectives related to privacy.
2) Disposes of, Destroys, and Redacts Personal Information— Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.
3) Destroys Personal Information—Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction.