PRI-05: Personal Data (PD) Retention & Disposal

PRI-05 · Personal Data (PD) Retention & Disposal

Control Description

Mechanisms exist to: (1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; (2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and (3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).

Control Question

Assessment question for control validation

Does the organization: (1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; (2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and (3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records)?

Control Weighting

Validation Cadence

Annual

NIST CSF Function

Identify

Supply Chain Risk Management (SCRM) Tiers

Applicable SCRM tier levels for this control

Tier 2 - Operational

Tier 3 - Tactical

Core Control Designations

Special designations and baseline inclusions

MAD: PRI-05

ESP Level 1: PRI-05

ESP Level 2: PRI-05

ESP Level 3: PRI-05

AI Model: PRI-05