The EU's GDPR states that data must not be retained "longer than necessary". In the UK, a sensible rule of thumb for this is 6 years to be able to provide records to the tax authority as needed, but our business does not need to keep records longer than this and our data retention policy states to customers that we will not keep their data longer than 7 years.
We have tens of thousands of "contact" records in xero but there is no way to delete the details of customers that have not interacted with us 7 years.
Xero should allow users to set a "data retention period" in the settings and when this time passes, it should provide a tool that allows the PII of customers to be purged from the system and no longer saved.
Xero has a responsibility as a "Data Processor" under GDPR. Data processors and sub-processors are responsible for processing personal data on behalf of the controller. They must follow the controller’s instructions, including abiding by a data retention timeframe, which should be set out in the contract or data processing agreement. Details should also include what will happen to the personal data once the contract is terminated.
G Jones
supported this idea
·
The EU's GDPR states that data must not be retained "longer than necessary". In the UK, a sensible rule of thumb for this is 6 years to be able to provide records to the tax authority as needed, but our business does not need to keep records longer than this and our data retention policy states to customers that we will not keep their data longer than 7 years.
We have tens of thousands of "contact" records in xero but there is no way to delete the details of customers that have not interacted with us 7 years.
Xero should allow users to set a "data retention period" in the settings and when this time passes, it should provide a tool that allows the PII of customers to be purged from the system and no longer saved.
Xero has a responsibility as a "Data Processor" under GDPR. Data processors and sub-processors are responsible for processing personal data on behalf of the controller. They must follow the controller’s instructions, including abiding by a data retention timeframe, which should be set out in the contract or data processing agreement. Details should also include what will happen to the personal data once the contract is terminated.