SEC08-05 Compliance of Data Usage, Retention, and Disposal

Data handlers must comply with relevant laws, regulations, and privacy protection guidelines when processing personal data, including data use, retention, and destruction, to ensure that data processing activities comply with laws and regulations and respect data subjects' rights.

• Risk level

  High

• Key strategies
  • Obtain data subjects' authorization before using personal data. The use scope and method cannot exceed the collection purpose.
  • The system should set the privacy protection function to protect privacy by default.
  • Ensure personal data security during the use of personal data, for example, record personal data addition, deletion, modification, and batch export operations in the O&M phase.
  • Follow the data minimisation principle when logging personal data for fault location.
  • The data controller must not collect or process the personal data any more after data subjects withdraw their consent.
  • Systems that provide user profiles shall provide a mechanism for users to opt out of such profiles.
• Related cloud services and tools
  • Data Security Center (DSC): Users can use the preset masking rules of DSC or customize masking rules to mask specified database tables. DSC supports various cloud scenarios, such as RDS and self-built databases on ECSs. In addition, DSC automatically provides data masking suggestions and allows users to configure masking rules only in a few clicks.
  • Database Security Service (DBSS): DBSS can be used to mask data. To mask sensitive information in entered SQL statements, users can enable the privacy data masking function of DBSS and configure privacy data masking rules to mask specified database tables and queries from specific source IP addresses, users, and applications.