Hello OpenPages Community,

What end point are folks using to be in compliance with new privacy laws and record retentions?  

DELETE /contents/{id} is only a soft delete

DELETE /contents/{id}/action/purge looks like it will remove all associations and reference to the object which is a good step to do first, but we really need something that will delete a specific record completely. 

Hello Andrea 

Here a link to the documentation to anonymize and hard delete objects

https://www.ibm.com/docs/en/opw/8.2.0?topic=ase-openpages-apis

Purge Resource, which performs a hard delete

httphttps://public.dhe.ibm.com/software/data/cognos/documentation/openpages/en/8.3.0.2/OpenAPI/OpenPages_API-OpenAPI_Reference.html?_gl=1*yzndxh*_ga*MTMzMjU4OTg4Ny4xNjg4Mzk1OTQ3*_ga_FYECCCS21D*MTY5MDI2MTM1Ny40My4xLjE2OTAyNjQ1ODYuMC4wLjA.

Anonymize API (API V1)

https://public.dhe.ibm.com/software/data/cognos/documentation/openpages/en/8.3.0.2/OpenAPI/OpenPages_API-OpenAPI_Reference.html?_gl=1*yzndxh*_ga*MTMzMjU4OTg4Ny4xNjg4Mzk1OTQ3*_ga_FYECCCS21D*MTY5MDI2MTM1Ny40My4xLjE2OTAyNjQ1ODYuMC4wLjA.

Hope this helps

and 

https://www.ibm.com/docs/en/opw/8.3.0?topic=guide-personal-information-processed-stored-by-openpages

To be in compliance with new privacy laws and record retention requirements, organizations often need to ensure that sensitive data is securely and completely deleted when necessary. As you've correctly pointed out, the standard DELETE operation, such as DELETE /contents/{id}, often performs a soft delete, which means the data may still be retrievable in some form. To achieve complete data deletion, organizations can consider implementing a combination of methods, including "hard delete" and secure data destruction techniques. Below are some approaches commonly used to achieve data deletion compliance:

1. Hard Delete with Purging:

   • As you mentioned, using DELETE /contents/{id}/action/purge can be the first step towards data deletion compliance. This operation removes all associations and references to the object, making it more difficult to access the data in the future.

2. Implementing a Custom "Hard Delete" Endpoint:

   • Organizations can create custom endpoints, such as DELETE /contents/{id}/action/hard-delete, to specifically handle hard deletions. This custom endpoint can ensure that the data is permanently and irreversibly removed from the system.

3. Data Encryption and Secure Key Management:

   • Before performing a hard delete, consider encrypting sensitive data using strong encryption algorithms. Properly manage encryption keys to ensure that data cannot be decrypted without proper authorization.

4. Data Overwriting:

   • In some cases, organizations may choose to overwrite sensitive data with random values or zeros before performing a hard delete. This adds an extra layer of data obfuscation.

5. Secure Data Destruction Techniques:

   • For physical storage media like hard drives, solid-state drives, and backup tapes, organizations should adopt secure data destruction techniques, such as degaussing, physical destruction, or secure erasure tools that meet industry standards (e.g., NIST SP 800-88).

6. Retention Policies and Scheduling:

   • Implement clear data retention policies to determine the appropriate data retention periods. Automated processes can be used to enforce data deletion once the retention period expires.

7. Data Protection Impact Assessment (DPIA):

   • Conduct DPIAs to assess the impact of data processing activities on data privacy and compliance. This includes ensuring that data deletion measures align with applicable privacy laws and regulations.

8. Data Auditing and Logging:

   • Implement comprehensive data auditing and logging mechanisms to track data access, modification, and deletion events for compliance and accountability purposes.