Hi all,
We are a nonprofit in Connecticut. We had an email request come in recently asking for us to delete their information under the Connecticut Data Privacy law. As a nonprofit, we are exempt from the law, but I processed the request anyway, as a show of good faith. This got me thinking about best practices, documentation, and so forth.
In such cases, what are your org's best practices? Is there a check and balance on purge scheduling/running? Is there documentation before and/or after? I'm curious what y'all have in place.
Usually, people ask us to take them off our mailing list, and we handle that with mail restrictions (and/or phone, email, depending on the request). I've had only a few "erase my data" requests, and in all but one case, these were people we mailed to through a list trade, so other than contacting the creator of the list to request that we don't receive that name again, there's not much I can do. For the one purge request I've acted on, I first copied the directive to purge data into a customer service issue. That's the only documentation I have.