Data Retention and Destruction Policy

Data Retention & Destruction Policy

Sunshine Bouquet

1: Purpose

Keeping data stored indefinitely sounds responsible, but actually creates security issues and can violate laws and compliance requirements. This Data Retention and Destruction Policy takes into consideration the laws and regulations that affect our organization and outlines the guidelines we will follow for the retention and destruction of data to best maintain the security and confidentiality of sensitive data . To meet our data retention and destruction goals, we will classify all data based on its sensitivity level and determine the appropriate retention period for each type of data. For a more detailed description of our standards, see our Data Classification Policy.

2: Data Retention
2.1: Personally Identifiable Information (PII)

Personally Identifiable Information (PII) collected by our organization will be retained for no longer than 30 days, or as required by applicable laws and regulations.

2.2: Financial Information

Financial information, including transaction records and account information, will be retained for a minimum of 7 years, or as required by applicable laws and regulations.

2.3: Business Records

Business records, such as information security records, contracts, agreements, and corporate documents, will be retained for a minimum of 7 years, or as required by applicable laws and regulations.

2.4: Marketing Data

Marketing data, including customer preferences and unitentifiable customer behavior, but excluding PII, will be retained for a maximum of 3 years , or until the customer requests their data be deleted.

2.5: Employee Records

Employee records, including payroll and HR data, will be retained for a minimum of 7 years, or as required by applicable laws and regulations.

3: Data Destruction
3.1: Securely destroy all data no longer required

We will securely destroy all data that is no longer required for business or legal purposes.

3.2: Destruction method determined by data classification

We will determine the appropriate destruction method for all data based on its data classification.

3.3: Prevent unauthorized access or disclosure

We will ensure that all data is destroyed in a manner that prevents unauthorized access or disclosure.

3.4: Maintain records

We will maintain records of all data destruction activities, including the date, method, and the reason for destruction.

4: Data Destruction Methods 4.1: Physical Destruction

Data will be securely destroyed using shredding, incineration, or other physical destruction methods.

4.2: Digital Destruction

Digital data will be securely deleted using data wiping methods that meet industry standards.

4.3: Third-Party Vendors

If third-party vendors are utilized for data destruction, the vendor must provide written certification that the data has been securely destroyed.

5: Conclusion

Ensuring that all sensitive data is retained in a compliant manner is a key component of our data protection strategy. Ensuring that sensitive data is securely destroyed when it is no longer needed is a key component of our data security strategy. We will review our data destruction policy annually and adjust it as necessary to comply with legal and regulatory requirements.