Checklist retentie si stergere pentru fondatori si compliance leads

Retentia si stergerea functioneaza cel mai bine ca checklist. Echipa trebuie sa stie ce date personale exista, ce scop justifica pastrarea lor, ce eveniment porneste termenul, ce sistem executa stergerea sau anonimizarea, ce exceptii se aplica si ce dovada arata ca regula a fost urmata.

Scopul nu este un memo juridic perfect. Este un model operational pe care product, engineering, support, security, finance, legal si vendor owners il pot folosi inainte ca un customer review, audit, incident, launch sau cerere de stergere sa puna presiune.

1. Confirma categoriile si scopul

Listeaza customer account data, profiluri de utilizator, authentication, tichete support, billing, product analytics, security logs, marketing, HR, vendor contacts, exports, spreadsheets, warehouses si backups. Nu te opri la system of record: riscul este des in copii, loguri, atasamente si vendori.

Pentru fiecare categorie, scrie de ce compania inca are nevoie de ea: produs, contract, taxe, billing, fraud, security, audit, legal claims sau customer commitments. Daca scopul poate fi atins cu date anonimizate sau agregate, redu identificabilitatea. Asta se leaga de data minimisation.

2. Defineste trigger si actiune

Alege evenimentul initial: account deletion, contract termination, workspace closure, final invoice, ticket closure, lead inactivity, applicant rejection, offboarding, incident closure, legal hold release, vendor termination sau backup rotation.

Apoi defineste actiunea reala: hard deletion, soft deletion cu purge, anonimizare, pseudonimizare, suppression record, restricted archive, deletion request catre processor, backup expiry sau retentie sub exceptie documentata. Nu promite stergere instantanee din toate backupurile daca sistemul foloseste rotatie.

3. Atribuie owneri

Fiecare regula are nevoie de policy owner, system owner, execution owner, exception approver, legal sau privacy reviewer, evidence owner si uneori customer communication owner. Engineering poate executa, dar legal, finance, security, support si vendor management decid adesea scope si exceptii.

4. Documenteaza exceptiile

Exceptii comune includ taxe, accounting, payroll, warranty, contract performance, billing disputes, fraud prevention, security monitoring, incident response, legal holds, litigation, insurance, audit evidence si regulatory reporting.

Fiecare exceptie trebuie sa aiba date acoperite, motiv, approver, data de inceput, data de review, restrictie si release process. O exceptie fara review poate deveni retentie nedeterminata.

5. Pregateste cererile de stergere

Retentia de rutina nu este o cerere de stergere. Echipa trebuie sa recunoasca requests in support, sales, legal, privacy sau customer success, sa logheze deadline, sa verifice requesterul, sa identifice scope de account, workspace, sisteme, vendori si backups, sa decida ce sterge sau pastreaza, sa documenteze refuzuri partiale si sa pastreze completion evidence.

Conecteaza procesul la operatiuni DSAR.

6. Include vendori si dovezi

Retentia urmeaza datele catre processors. Intreaba ce date primeste vendorul, daca le stocheaza, logheaza, deriveaza sau exporta, ce subprocessors au acces, cum sunt configurate termenele, cum se declanseaza stergerea si ce dovezi furnizeaza.

Acest lucru se leaga de processor management si GDPR compliance planning. Pastreaza schedule, inventory, review ticket, loguri de stergere sau anonimizare, exception approvals, backup policy, vendor confirmation si reviews periodice.

Common mistakes

Cele mai comune greseli sunt schedule fara system mapping, promisiuni vagi de stergere, tratarea cererilor de stergere ca deletion de rutina, exceptii nedocumentate si uitarea copiilor la vendori.

FAQ

Ce ar trebui sa inteleaga echipele?

Cand se aplica retentia si stergerea, ce schimbari operationale cer si ce dovezi arata ca workflow-ul functioneaza.

De ce conteaza practic?

Influentaza riscul, customer trust, audit readiness, breach impact, erasure handling si acuratetea privacy commitments.

Care este cea mai mare greseala?

Tratarea retentiei si stergerii ca interpretare juridica unica, nu ca workflow repetabil cu owneri, triggers, evidence si escalare.

Sources

• European Union, General Data Protection Regulation.
• European Commission, For how long can data be kept and is it necessary to update it?
• European Commission, Do we always have to delete personal data if a person asks?
• European Commission, How much data can be collected?
• Information Commissioner's Office, Principle (e): Storage limitation.
• Information Commissioner's Office, Right to erasure.