I am developer at a small start up, in terms of company size at least. There are only 4 people in the company and I the only full time developer. The CEO is technical and writes code half of the time himself as well. Though, while small in size, we have roughly 1.5M uniques per month. Only a small part our service is read only / consumption based (the forums and other social networking features). Based on the nature of what our service does we end up collecting a lot of information on all of our users. Non financial information, but most of the information we have about users they would never want other people to know or find out about. Each day the average active user gives about 10-15 new bits of information (willing-fully, thats why they use our service, we are not just tracking users to get the information).
That being said, a lot of users when they close their account contact us and demand us to verify we have deleted all of our their information. We do our best to anonymize by blanking out their name, location, email address, etc... in our database. Then we mark the account no longer active.
However, we can never confirm their data is fully gone. We can not retroactively go back and remove them from our countless number of backups. We snapshot ever night and keep the backups for differing amount of time. Since we can never get rid of them via the backups, which basically are just as good (if stolen, leaked, etc..) as the data in our live database we can never confirm their data has been deleted.
Would this mean we would be breaking this code of conduct? If so, that would make this code of conduct way to burdensome for any start up or company to follow.
(Not to mention other things in there besides the data retention policy that make this way to much for any start up to promise to follow)
Backups are hairy, from what I understand the EU directives on user privacy require that you delete the data from you normal business processes and you warrant that this data will never again be used actively or passively after the user requires deletion. The way I deal with this particular requirement on my site is that if a user requests removal that the deletion request is archived separately after the deletion. If I should have to roll-back a database from a back-up then I will run all the deletions against it that were made since the time that the backup was made.
I'm not 100% sure if that is in compliance with the law but it is a pretty gray area. As far as I'm concerned I would say that you are doing just fine and that you operate to the spirit of the document even if you can't guarantee that in the most extreme cases you'd be following it to the letter.
And that 'spirit' is exactly what this is all about.
That being said, a lot of users when they close their account contact us and demand us to verify we have deleted all of our their information. We do our best to anonymize by blanking out their name, location, email address, etc... in our database. Then we mark the account no longer active.
However, we can never confirm their data is fully gone. We can not retroactively go back and remove them from our countless number of backups. We snapshot ever night and keep the backups for differing amount of time. Since we can never get rid of them via the backups, which basically are just as good (if stolen, leaked, etc..) as the data in our live database we can never confirm their data has been deleted.
Would this mean we would be breaking this code of conduct? If so, that would make this code of conduct way to burdensome for any start up or company to follow.
(Not to mention other things in there besides the data retention policy that make this way to much for any start up to promise to follow)