Does SOC 2 demand deletion of your old data?
In our work at Opus Guard, we frequently have discussions with customers about the frameworks they are compliant with, that also have data retention and and data deletion requirements. While it’s easy to understand how ISO 27001 now requires this, SOC 2 frequently comes up with a related question: does data retention and deletion matter to compliance with SOC 2?
In short, yes. The SOC 2 Trust Services Criteria clearly express data retention requirements, and a need to appropriately delete older information as it ages out of the organization’s retention policy. While the criteria themselves do not explicitly mandate how or when data should be destroyed, they emphasize the importance of data retention management, including the secure disposal of data that is no longer needed. This is somewhat distinct from SOC 2 log retention requirements–we'll treat those in a separate post in future.
A thoughtful approach: archive before you delete
One best practice that can ease the transition between data retention and deletion requirements, is to archive older data as a first step. Archiving involves moving data that is no longer actively used into a secure, read-only storage environment. This not only ensures that valuable historical information is preserved for audit or compliance purposes but also reduces the risk of accidentally deleting data that might be needed in the future. Once data has been archived and thoroughly reviewed, it can then be deleted and finally securely purged in line with your retention policy. This layered approach aligns well with SOC 2 principles, offering an extra measure of control and documentation.
A quick primer on SOC 2: the what and who
SOC 2 (System and Organization Controls 2) is a compliance framework designed to help businesses manage and protect sensitive customer data. It evaluates the effectiveness of an organization's internal controls related to five key areas, known as the Trust Services Criteria (TSCs): security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are essential for organizations, particularly those that handle cloud-based data, as they demonstrate a commitment to safeguarding customer information. Many prospects want to see an organizations SOC 2 report before considering becoming a customer.
SOC2 is developed and maintained by the American Institute of Certified Public Accountants (AICPA). The AICPA established SOC 2, including the TSCs ↗️, to standardize and assess how companies manage data in compliance with best practices for data security and privacy.
Here’s how the relevant Trust Services Criteria impact your choices around retention and data destruction:
1. Security Principle
The security principle is widely included in almost all SOC 2 reports ↗️. Under the Security principle, SOC 2 expects businesses to protect information from unauthorized access and safeguard it throughout its lifecycle. This includes ensuring that data disposal processes are secure. The destruction of data that has aged out of the retention policy should be handled with the same level of security applied during its retention period.
Proper data destruction methods include:
- Data wiping (or purging) for digital information, where data is securely purged to prevent recovery.
- Shredding for physical records, ensuring that paper documents are irrecoverable.
2. Confidentiality and Privacy Principles
The Confidentiality and Privacy principles require businesses to ensure that sensitive or personal data is only retained as long as it serves its intended purpose. And the Confidentiality principle is included is most SOC 2 reports as well. Once data is no longer needed for legal, operational, or business reasons, it should be securely deleted or destroyed to prevent unauthorized access or misuse.
Retaining outdated data can lead to privacy violations or confidentiality breaches, especially if data that should have been destroyed is exposed in a security incident. Therefore, SOC 2 emphasizes the importance of having a process in place to securely destroy aged-out data.
3. Compliance and Control Requirements
SOC 2 audits often look for documented policies and controls related to data retention and destruction. Auditors expect businesses to have defined procedures for how they handle information as it ages, including secure disposal practices. Failing to properly destroy data can lead to compliance issues, especially if the company cannot demonstrate that sensitive data is no longer retained after its intended use period.
How businesses should handle archiving, retention, and deletion
To comply with SOC 2, businesses should:
- Establish Clear Data Disposal Policies: Data retention policies should specify how and when data will be moved to an archive, as well as how and when it will be destroyed after its retention period expires.
- Implement Secure Archiving: Use secure, access-controlled storage for archived data. This not only preserves historical information but also serves as a checkpoint to ensure that data is only permanently deleted when appropriate.
- Automate Retention and Deletion: AAutomated systems can help enforce the schedule for moving data to an archive and, eventually for deletion. This minimizes human error and ensures that the data lifecycle is managed consistently.
- Use Secure Destruction Methods: Whether it's digital data (which requires permanent deletion or purging) or physical data (which needs shredding or other secure methods), ensuring proper destruction methods is key.
- Document Everything: Keep comprehensive records of when data was archived and when it was eventually deleted. This documentation is critical for demonstrating compliance with SOC 2 requirements.
For example, Atlassian customers can benefit from tools like Content Retention Manager for Confluence and Content Retention Manager for Jira, which facilitate retention policies and routine deletion with a compliant audit trail. Combined with Confluence's Content Manager and Automation Rules in both products for archiving, these can be configured to archive data first, ensuring that deletion occurs only after an appropriate review by space and project admins.
So in summary, the SOC 2 TSCs clearly lay out data retention requirements and the need for automated routine deletion of old information and employee content. SOC 2 does generally expect businesses to securely destroy data that is no longer needed, as part of maintaining compliance with the confidentiality, privacy, and security principles; and such compliance an organization will show up in a SOC 2 Type II audit report.
Try Content Retention Manager for free today: