Skip to content

Does SOC 2 demand deletion of your old data?

In our work at Opus Guard, we frequently have discussions with customers about the frameworks they are compliant with, that also require retention management and data deletion. While it’s easy to understand how ISO 27001 does this, SOC 2 frequently comes up with a related question: does retention and deletion matter to compliance in SOC 2?

In short, yes. The SOC 2 Trust Services Criteria clearly express the need to appropriately destroy information as it ages out of the organization’s retention policy. While the criteria themselves do not explicitly mandate how or when data should be destroyed, they emphasize the importance of data retention management, including the secure disposal of data that is no longer needed.

A quick primer on SOC 2: the what and who

SOC 2 (System and Organization Controls 2) is a compliance framework designed to help businesses manage and protect sensitive customer data. It evaluates the effectiveness of an organization's internal controls related to five key areas, known as the Trust Services Criteria (TSCs): security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are essential for organizations, particularly those that handle cloud-based data, as they demonstrate a commitment to safeguarding customer information. Many prospects want to see an organizations SOC 2 report before considering becoming a customer.

SOC2 is developed and maintained by the American Institute of Certified Public Accountants (AICPA). The AICPA established SOC 2, including the TSCs ↗️, to standardize and assess how companies manage data in compliance with best practices for data security and privacy.

Here’s how the relevant Trust Services Criteria impact your choices around retention and data destruction:

1. Security Principle

The security principle is widely included in almost all SOC 2 reports ↗️. Under the Security principle, SOC 2 expects businesses to protect information from unauthorized access and safeguard it throughout its lifecycle. This includes ensuring that data disposal processes are secure. The destruction of data that has aged out of the retention policy should be handled with the same level of security applied during its retention period.

Proper data destruction methods include:

  • Data wiping (or purging) for digital information, where data is securely purged to prevent recovery.
  • Shredding for physical records, ensuring that paper documents are irrecoverable.

2. Confidentiality and Privacy Principles

The Confidentiality and Privacy principles require businesses to ensure that sensitive or personal data is only retained as long as it serves its intended purpose. And the Confidentiality principle is included is most SOC 2 reports as well. Once data is no longer needed for legal, operational, or business reasons, it should be securely deleted or destroyed to prevent unauthorized access or misuse.

Retaining outdated data can lead to privacy violations or confidentiality breaches, especially if data that should have been destroyed is exposed in a security incident. Therefore, SOC 2 emphasizes the importance of having a process in place to securely destroy aged-out data.

3. Compliance and Control Requirements

SOC 2 audits often look for documented policies and controls related to data retention and destruction. Auditors expect businesses to have defined procedures for how they handle information as it ages, including secure disposal practices. Failing to properly destroy data can lead to compliance issues, especially if the company cannot demonstrate that sensitive data is no longer retained after its intended use period.

How Businesses Should Handle Data Destruction:

To comply with SOC 2, businesses should:

  • Establish Clear Data Disposal Policies: Data retention policies should specify how and when data will be destroyed after its retention period expires.
  • Use Secure Destruction Methods: Whether it's digital data (which requires permanent deletion or purging) or physical data (which needs shredding or other secure methods), ensuring proper destruction methods is key.
  • Automate Data Destruction: Automated systems can ensure that data is deleted according to the retention schedule, reducing the risk of human error.
  • Document Destruction Practices: For compliance purposes, it is essential to keep records of what data was destroyed and when, to demonstrate adherence to the policy.

Given that the SOC 2 TSCs strongly suggest automated routine deletion of old information and employee content, Atlassian customers should look into tools like Content Retention Manager for Confluence and Content Retention Manager for Jira. These apps facilitate routine deletion with a compliant audit trail of all policies and actions. This helps avoid employee mistakes while demonstrating increased compliance with the framework all while proving deletion is routine and automated during any future eDiscovery.

So in summary, yes SOC 2 does expect businesses to securely destroy data that is no longer needed, as part of maintaining compliance with the confidentiality, privacy, and security principles.

Try Content Retention Manager for free today: