Gregory's Server@Em0nM4stodon That kinda depends on the kind of business. The US Banking Secrecy Act requires all companies dealing with the transfer of money to keep PII for seven years. A similar law in the EU requires it be kept for 10 years, and Australia requires 99 years. In the US, PHI has to be kept for 6 years.
|
3 comments
 @Em0nM4stodon @Loucovey This is where security challenges and records management challenges overlap on the Venn diagram. But data minimization is a good principle for addressing both. |
@Loucovey
Indeed. This means that this data is still needed for 7 years. But it also means it can (and should) be deleted once it is no longer required to be retained.
For example, if the data is no longer needed, it should then be thoroughly deleted as soon as the legal retention period is over. Whether it is 7 years + 1 day, or 10 years + 1 day, or 99 years + 1 day.