Information Deletion
Description
Information stored in information systems, devices, or in any other storage media shall be deleted when no longer required.
⚠️ Risk Impact
Data retained beyond business necessity is data still at risk. GDPR Article 17 right to erasure makes this a regulatory obligation; data hoarding is increasingly liability rather than asset.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
Apply lifecycle policies on storage. Document retention periods per data category. Automate deletion. Use cryptographic erasure for encrypted-at-rest data. Verify deletion (not just 'soft delete').
💀 Real-World Attack Scenario
An e-commerce company retained customer payment data 'in case of dispute' for 7 years (statutory was 3). A breach exposed all 7 years of data. GDPR enforcement: violation of Article 5 storage-limitation principle + Article 17 right to erasure. Penalty: €4.5M (over-retention specifically called out).
💰 Cost of Non-Compliance
GDPR Article 17 violations: avg €2.5M (CNIL 2024). Over-retention as breach-amplifier: increases breach scope 2-3× when older data is included.
📋 Audit Questions
- 1.What are retention periods per data category?
- 2.How is deletion automated?
- 3.Is cryptographic erasure used?
- 4.How is deletion verified?
⚡ Common Pitfalls
- ⛔Retention 'just to be safe' — actually liability
- ⛔Soft delete with no purge schedule
- ⛔Backup retention out of sync with primary
📈 Business Value
Minimised data retention reduces breach scope + regulatory exposure.
⏱️ Effort Estimate
20-40 hours retention policy + lifecycle rule deployment
EchelonGraph monitors lifecycle policies + flags over-retention
🔗 Cross-Framework References
Automate ISO 27001 A.8.10 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →