-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide guidance for data retention #2
Comments
Good point, we will update it. We have even some privacy-by-default in MISP regarding the soft-delete. When you delete an attribute in MISP, it's first a soft-delete (a flag set on the attribute) then a hard-delete when the soft-deleted attribute is finally deleted. In the MISP instance configuration, there is also an option to sanitise the value of the soft-deleted attribute. The option is called This allows to have a two-steps validation for final hard delete and the sanitise allow to ensure that the value is sanitised. To keep a trace of the deleted data without keeping the value of the data by itself. We will add a second document/table with all the functionalities in MISP which could help to support GDPR and especially the "privacy-by-default" functionalities. Regarding the retention period, a series of exception allow to keep personal data to fit with the purpose such as criminal cases or to be used by law-enforcement. So the retention period might be very different depending of the use-case of a sharing community. If you have any other feedback, let us know. Thank you very much for your contribution. |
We updated the document with a section about data retention. I'll close the issue. If you feel something needs to be added, feel free to reopen this issue. |
Irrespective of collecting, storing, and sharing data using MISP there is one more GDPR related question which is of particular interest to CSIRTs: how long may (personal) data be stored? The current version of the documents states:
This is especially relevant wrt MISP since events/attributes usually aren't deleted at all, or are they? Is this in line with the GDPR?
Please provide some guidance on this matter.
The text was updated successfully, but these errors were encountered: