Hi all,
We are a nonprofit in Connecticut. We had an email request come in recently asking for us to delete their information under the Connecticut Data Privacy law. As a nonprofit, we are exempt from the law, but I processed the request anyway, as a show of good faith. This got me thinking about best practices, documentation, and so forth.
In such cases, what are your org's best practices? Is there a check and balance on purge scheduling/running? Is there documentation before and/or after? I'm curious what y'all have in place.
This makes me wonder if other states have exemptions for non-profits! Probably not my state (NY), but maybe others... hmm...But regarding your actual question - we normally only purge if there's a specific request to, and documentation is basically an email trail (request from patron goes to our box office, who asks me to do the honors and report back)