P4.3 SOC 2

SOC 2 P4.3: Privacy - Disposal of Personal Information

What This Control Requires

The entity securely disposes of personal information to meet the entity's objectives related to privacy. When personal information is no longer needed, it is disposed of in a manner that prevents unauthorized access or recovery.

In Plain Language

Deleting a database row is not the same as disposing of data. If someone with forensic tools or backup access could recover the information, you have not actually disposed of it. That distinction matters to auditors.

This control is about the how of data disposal. When personal information reaches the end of its retention period or a user requests deletion, the disposal method must prevent recovery. And it must cover every copy - production databases, caches, analytics systems, test environments, backups, and third-party services. Missing even one location means the data is not truly gone.

Auditors verify that you have defined secure disposal methods, that disposal addresses all copies across all systems, and that you can prove it with documentation. They also check how you handle individual deletion requests under GDPR and CCPA, including whether you meet the legally required timelines.

How to Implement

Define secure disposal methods for every storage type. For databases, delete with transaction logging and verification. For files, use secure delete utilities or an encrypt-then-delete approach. For physical media, follow NIST SP 800-88 guidelines. For cloud storage, use provider deletion APIs and verify removal from all replicas.

Address every copy of the data. When you delete personal information from production, also handle copies in staging and test environments, database replicas, caches and CDN edge locations, analytics and warehouse systems, email and collaboration tools, and any third-party services holding copies. Build a checklist per data type so nothing gets missed.

Verify that disposal is complete. After deletion, confirm the data is no longer accessible from any system. Run spot checks, query the relevant tables, and review audit logs. For physical media destruction, obtain and retain certificates of destruction.

Build a process for individual deletion requests. Under GDPR and CCPA, people have the right to request erasure of their data. Define clearly which systems are in scope, which data elements get deleted, what the timeline is, what exceptions apply (legal holds, regulatory requirements), and how you confirm completion to the individual.

Handle third-party disposal. When you terminate a vendor relationship or when a vendor holds data that should be destroyed, your contracts need to require certified destruction. Get written confirmation and verify where possible.

Keep disposal records. Document what was disposed of, when, using what method, from which systems, and who performed or verified the action. These logs are essential audit evidence and help you respond to data subject enquiries about whether their information has been removed.

Evidence Your Auditor Will Request

Secure disposal procedures for personal information across all storage types and media
Disposal verification records confirming data removal from all systems and locations
Data subject deletion request handling process and records of completed requests
Vendor data destruction certifications for terminated relationships
Disposal activity logs documenting what was disposed of, when, how, and by whom

Common Mistakes

Personal data is deleted from production but persists in test environments, caches, or analytics systems
Deletion requests from data subjects are not tracked or completed within required timeframes
Disposal methods are insufficient to prevent data recovery from storage media
No verification process confirms that disposal is complete across all systems
Third-party vendors are not required to certify destruction of personal data upon contract termination

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.8.10	Equivalent
ISO 27001	A.7.14	Related
nist-csf	PR.DS-11	Related

Frequently Asked Questions

How do we handle deletion requests when data exists in many systems?

Start with a data map that shows every system holding personal information for a given individual. When a deletion request comes in, use that map to trigger deletion across all systems. Build a tracking mechanism that confirms completion from each one. Automate with API-based deletion cascades where you can. For systems where immediate deletion is impractical (like backups), document the exception and the timeline for when the data will be purged.

Can we anonymize data instead of deleting it?

Yes, and it is a perfectly valid approach under most privacy regulations - as long as the anonymisation is genuinely irreversible. The key test: could someone re-identify individuals by combining the anonymised data with other sources? If properly anonymised, the data is no longer personal information and falls outside privacy requirements. Use robust techniques and validate that re-identification is not feasible.

What is our timeline obligation for deletion requests?

Under GDPR, you must respond within one month (extendable by two months for complex cases). Under CCPA, you have 45 business days (extendable by another 45). Set your internal targets to meet the most stringent applicable requirement. Acknowledge receipt promptly and communicate the expected completion date. Auditors will check whether you actually meet these timelines, not just whether you have them documented.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment