Can you really delete your Facebook data?

You may have deleted your Facebook account.
But your data may still be sitting in their system.

Data retention is one of the most overlooked, yet most important, CISSP topics.

Case Study: How Facebook Deletes Data

You are either using Facebook regularly or might have stopped using it.

Your data is still there. If you’re thinking about deleting your Facebook profile, it’s not a straightforward option.

Here’s how deletion works:

30 days: Grace period where you can change your mind
Up to 90 days: Data purging from systems
180 days: Retention policy window
After that, Meta, Facebook’s parent company, may still retain names, phone numbers, and email addresses for analytics or legal compliance purposes.

Is it fair?

Even if you’ve never had a Facebook account, they might still have your details.

That’s true.

It’s called a shadow profile. It collects your information without your consent.

As per Meta’s privacy policy, they collect information about you from the address books of other users.

The good news is, there is a way. You have to request that Facebook delete your shadow profile.

Why does data need to be retained in the first place?

Companies retain data for data analysis, audit logs, and to comply with legal and regulatory requirements.

What’s the fundamental rule behind data retention?

In CISSP and security governance, you must answer three questions:

1. What data to retain?
Businesses should only retain what is necessary to comply with regulatory requirements. Be more vigilant when it comes to personal data. It includes media and systems that hold and process sensitive data.

Retaining more data than required is also not good for business. First, it incurs an additional storage cost. Second, it makes the e-Discovery process complex if you can’t retrieve the data to respond to court orders.

2. How long to retain data?
In my professional experience, seven years is a typical mark, but it’s not a universal standard. Always engage an attorney and take legal advice.

3. How is data retained?
If you can’t access the data at the right time, what’s the point of retaining it in the first place?

The third question relates to the e-Discovey concern I mentioned earlier. Retaining data is not a set-and-forget strategy.

Various techniques, such as classification, indexing, tagging, and normalisation, should be considered.
Data must be accessible, not just stored.

Remember, deleting data should feel less like a breakup and more like a healthy goodbye.

In my CISSP world, every concept is a story, an art piece, or a visual representation. Join the CISSP As An Art (CaaART) tribe, the first visual-only CISSP course.