Hi all,
We are a nonprofit in Connecticut. We had an email request come in recently asking for us to delete their information under the Connecticut Data Privacy law. As a nonprofit, we are exempt from the law, but I processed the request anyway, as a show of good faith. This got me thinking about best practices, documentation, and so forth.
In such cases, what are your org's best practices? Is there a check and balance on purge scheduling/running? Is there documentation before and/or after? I'm curious what y'all have in place.
This makes me wonder if other states have exemptions for non-profits! Probably not my state (NY), but maybe others... hmm...But regarding your actual question - we normally only purge if there's a specific request to, and documentation is basically an email trail (request from patron goes to our box office, who asks me to do the honors and report back)
We also only purge if there is a request to do so. A customer will usually email one of our teams and those teams then submit a Mojo ticket request for us. In our ticketing portal we assign a specific tag to that ticket to keep track of all purge requests.
Usually, people ask us to take them off our mailing list, and we handle that with mail restrictions (and/or phone, email, depending on the request). I've had only a few "erase my data" requests, and in all but one case, these were people we mailed to through a list trade, so other than contacting the creator of the list to request that we don't receive that name again, there's not much I can do. For the one purge request I've acted on, I first copied the directive to purge data into a customer service issue. That's the only documentation I have.
Kia ora Nathanael. We purge records in 2 instances - one, as everyone has said, upon a request from a customer & secondly, around accounts created during guest check out, if the customer doesn't complete the sale. We feel that if someone enters their details into TNEW & then doesn't complete the transaction, they would have a reasonable expectation that we would not be keeping their data - so it's a weekly maintenance job for me. I identify the records created during a partial guest check out & then purge them. No other documentation completed each week - just the weekly maintenance process documented.