Provide guidance for data retention

[StefanKelm]

Irrespective of collecting, storing, and sharing data using MISP there is one more GDPR related question which is of particular interest to CSIRTs: how long may (personal) data be stored? The current version of the documents states:

However, in the light of the purpose limitation principle, CSIRTs do not have a lawful basis for [...] retaining data for longer than is necessary for the purposes for which the personal data are processed.

This is especially relevant wrt MISP since events/attributes usually aren't deleted at all, or are they? Is this in line with the GDPR?

Please provide some guidance on this matter.

[adulau]

Good point, we will update it. We have even some privacy-by-default in MISP regarding the soft-delete.

When you delete an attribute in MISP, it's first a soft-delete (a flag set on the attribute) then a hard-delete when the soft-deleted attribute is finally deleted.

In the MISP instance configuration, there is also an option to sanitise the value of the soft-deleted attribute.

The option is called Security.sanitise_attribute_on_delete.

This allows to have a two-steps validation for final hard delete and the sanitise allow to ensure that the value is sanitised. To keep a trace of the deleted data without keeping the value of the data by itself.

We will add a second document/table with all the functionalities in MISP which could help to support GDPR and especially the "privacy-by-default" functionalities.

Regarding the retention period, a series of exception allow to keep personal data to fit with the purpose such as criminal cases or to be used by law-enforcement. So the retention period might be very different depending of the use-case of a sharing community.

If you have any other feedback, let us know. Thank you very much for your contribution.

[adulau]

We updated the document with a section about data retention. I'll close the issue. If you feel something needs to be added, feel free to reopen this issue.