Building Compliance Framework

Table of Content

Table of Content

Table of Content

Define retention and deletion rules

Retention and deletion rules ensure personal data is only kept for as long as it is necessary and is permanently removed when no longer needed. Both GDPR and CPRA require companies to define these periods clearly and enforce them consistently across all systems.

Define Retention and Deletion Rules

Retention and deletion rules ensure personal data is only kept for as long as it is necessary and is permanently removed when no longer needed. Both GDPR and CPRA require companies to define these periods clearly and enforce them consistently across all systems.

Setting Retention Periods

Decide how long each category of data should be stored.

  • Keep only what is required for the purpose collected.

  • Align retention with legal obligations (e.g., tax or employment records).

  • Define shorter periods for sensitive or high-risk data.

Automating Deletion

Build processes that remove or anonymize data once the retention period expires.

  • Use scheduled jobs or TTL (time-to-live) fields in databases.

  • Cascade deletions across backups, logs, and replicas.

  • Ensure deletion applies to both production and test environments.

Handling User Requests

Support the right to erasure under GDPR and deletion requests under CPRA.

  • Allow users to request deletion via APIs or account settings.

  • Verify identity before processing.

  • Provide confirmation once data is deleted.

Documentation and Policy

Make retention and deletion policies transparent and auditable.

  • Publish retention practices in your privacy policy.

  • Keep internal documentation of rules per data type.

  • Review rules regularly to reflect evolving business needs.

Example: Customer Support Tickets

A company may keep support tickets for 18 months to resolve disputes. After this period, tickets are automatically purged from the database and backups, ensuring no personal data lingers longer than necessary.

Implementing Retention and Deletion in Practice

Here are simple ways developers can enforce retention and deletion across common systems:

PostgreSQL scheduled purge:

sql

DELETE FROM support_tickets
WHERE created_at < NOW() - INTERVAL '18 months';


MongoDB TTL index:

js

db.support_tickets.createIndex(
  { createdAt: 1 },
  { expireAfterSeconds: 18 * 30 * 24 * 60 * 60 }
);


S3 lifecycle policy:

json

{
  "Rules": [
    {
      "ID": "Purge-logs-18m",
      "Status": "Enabled",
      "Filter": { "Prefix": "logs/" },
      "Expiration": { "Days": 548 }
    }
  ]
}

Conclusion

These examples show how retention and deletion can be enforced directly in code and infrastructure, giving teams a clear, automated way to align technical systems with compliance policies and reduce the risk of data lingering beyond its intended purpose.

Set up international transfer safeguards

Set up international transfer safeguards

Set up international transfer safeguards

Implement a security baseline

Implement a security baseline

Implement a security baseline