Table of Contents
What Can Findem's Custom Data Retention Policies Do?
Overview
Upon request, Findem is able to set up data retention workflows and settings for your org's Findem instance. During your implementation, our team will ask if your org wants to set up any data retention policies. We can also build custom modals and set up automation. Note that there is no existing menu or interface where customers can go to set up automation for data retention, but we create custom automations on demand.
For more information on setting up your org's retention policies, contact your Findem account rep. Existing customers that need help processing a one-time candidate data removal request can contact privacy@findem.ai for assistance.
What Can Findem's Custom Data Retention Policies Do?
Findem's custom data retention policies are designed to ensure your organization adheres to all applicable legal and regulatory requirements concerning data privacy and protection. The system automates the enforcement of compliance policies across various regions and accounts, ensuring that user data is managed in accordance with applicable laws. This system is crucial for organizations operating in multiple jurisdictions with varying compliance requirements.
In short, data retention policies can help you guarantee candidate data is removed in a timely manner according to any rules and regulations put in place.
Policies
Compliance policies are the central components that define the rules and scopes of data management and protection. For example, an employer might set up a policy with the following guidelines:
- By default data must be purged if no marketing consent is given within 90 days and data must be purged within 5 days upon a user’s request.
-
In the European Union, excluding Belgium, the policy requires data to be purged if no marketing consent is given within 60 days
Each policy includes:
- Rules: Define the actions to be taken to ensure compliance, such as data purging timelines
- Scope: Specifies the geographical extent of the policy's application, such as specific countries, regions, accounts, or globally
Rules
Rules are specific compliance requirements within a policy. The primary types of rules are:
- No consent rule: Requires data to be purged if no consent is provided within a specified number of days. This rule ensures that personal data is not retained indefinitely without user consent, helping organizations comply with data protection laws
- Purge request rule: Mandates data purging upon a user’s request within a defined timeline. This rule gives users control over their data, allowing them to request the deletion of their personal information at any time. (Note: This rule is currently not supported but is planned for future implementation)
Scopes
Scopes determine where and how policies apply in the context of geographical locations:
- Country: Policies that apply to data within specified countries
- Region: Policies that apply to data within specified regions. These can include or exclude specific countries within those regions
- Account: Policies that apply to data that doesn't match any of the country or region policies, acting as a default policy for specific accounts or customers
- Global: Policies that apply when there is no match for data at the country, region, or account level, acting as a universal fallback policy
Purge Grace Period
Per request, we can incorporate a purge grace period before the actual purging of data occurs. This buffer time allows customers to rectify consent status or take necessary actions before data is permanently deleted, and serves as a safeguard against accidental or premature data deletion. By providing this grace period, the system helps maintain a balance between enforcing compliance measures and offering operational flexibility, thereby reducing the risk of data loss due to delayed consent actions.
Minimum Required Settings
These settings define overarching rules and region mappings that provide a unified compliance framework across all policies.
- Rules: These are the global policies that apply universally across the organization when no other specific country, region, or account policies match. They ensure that there is always a fallback compliance measure in place
- Regions: Definitions of regions and their respective countries. This is necessary to group countries into regions for applying region-specific policies. For example, a policy might apply to the "EU" region, which includes all European Union countries. The list of countries in each region is maintained in the database, making it easy to add or modify region definitions without requiring code changes
How Does Evaluation Work?
The custom-built evaluation mechanism continuously monitors and evaluates user profiles against defined compliance policies. The process begins by identifying the relevant account and retrieving the associated compliance policies. These policies, which include specific rules and scopes, dictate how data should be handled based on geographical locations and account-specific settings.
For each candidate profile, the system gathers compliance-related information and applies the relevant policies. This information is collected from the customer’s sandbox as follows:
- Marketing consent status: The system records if the candidate has provided marketing consent as well as the date of consent.
- Data retention duration: The system calculates how long the data has been held by comparing the current date to the records when the data was first collected
- Geographical location: The candidate's location is assessed by looking at the country field in the profile data
The mechanism then checks if the profiles meet the consent requirements. If a profile does not meet the consent criteria within the specified timeframe, the system marks the data for deletion, applying the defined purge grace period to provide a buffer time for your users to rectify consent status before the data is permanently deleted. Future enhancements will also manage purge requests from users, further ensuring compliance.
The evaluation mechanism ensures that the most specific policies (such as country or region-specific) are applied first, followed by broader account or global policies. This hierarchical approach ensures that all applicable legal and regulatory requirements are met accurately.
Throughout this process, the system maintains checkpoints to track progress and ensure continuous monitoring. This automated approach enables organizations to stay compliant with varying data protection laws across different regions and accounts, ensuring user data is handled responsibly and legally.
Precedence
Policies are evaluated in a hierarchical order to ensure proper application:
- Country: Policies specific to individual countries
- Region: Policies that apply to regions, with possible country exclusions
- Account: Default policies for data that doesn't match any country or region policies
- Global: Universal fallback policies applied when no other policies match
Comments
0 comments
Please sign in to leave a comment.