Feature Requests
Share ideas, discuss and vote on requests from other users in community
 

Backup user data before Data Retention Deletion

denully shared this idea 4 months ago
Under Consideration

With the new GDPR and the Data Retention setting to be able to automatically delete inactive users, i think it would be nice to have an option under those settings to do a full backup of the deleted users or maybe just a way to instead of deleting, it would give a admin notice that a user is up for deletion.

As we need to save invoice data and such for xx years, it would be nice to be able to double check we have the data we need to save, before a user is deleted. Without having to check daily for users about to be disabled. :)

Comments (10)

photo
1

Hi,

Thanks for taking the time to provide your suggestion.

The proposition of taking a backup of data being deleted is an interesting one. The idea behind deleting irrevocably client data which you no longer require, is to meet the GDPR requirement of removing data over which you have no reasonable legal needs to store.

I'm personally not sure whether keeping such data in a backup "just in case" would qualify as a suitable justificaiton under that law.

photo
1

The GDPR requires that when customers order you to delete their data, you must irrevocably delete that information and not a single peck of it should remain in your database. They want you to delete ALL their data. It's assumed no backups will be stored "just in case" because it breaks the regulation.

photo
photo
1

i understand :) thats why it would only be to double check that the data actually needed to be saved, was saved and then the backup of course should be removed manually afterwards, as it is still up to the company to uphold the GDPR, no matter if its from automated deletion or manual deletion.

Or as i believe invoices is the only thing that may need to be saved for longer period, due to Tax laws in each country, then if there was a way to "delete User profile and backup invoices to *location*"

as i see the system right now, i have to check daily if a user is up for deletion, to then take a backup of their invoices or double check we have them all in printed version, before i let whmcs delete the user profile.

photo
1

Hello,

In our country we need to keep invoices stored in our system for 10 years.

However with GDPR we need to have a retention period for personal data, to erase it after someone stops using our services.

We don't have any reason to keep the email and the phone mumber of someone for 10 years, so it would be nice to have the option to delete all data (all customer logs, email and phone number) but invoices.

Thank you,

David D.

photo
1

The biggest issue with your current implementation is that it flies in the face of so many other elements of GDPR and other LEGAL requirements.

" Using this feature removes all data relating to a given customer including, but not limited to, personal information in the user's profile, service and invoice history, activity log entries, support ticket and email history." This is wrong as part of the "right to be forgotten" is we need to keep this for the following reasons (just some):

  • Credit Card Disputes - Some one requests a right to be forgotten then several weeks later after service/product been delivered they raise a dispute and the funds get taken out of our account as we no longer have record of this.
  • Revenue - Insert your local tax authority now we have no evidence of client ordering so we can have payments in our bank account with little or no back up data so we can get done for Money Laundering
  • Critical failure of system - we do a restore and do not keep the right to be forgotten request as we can't "back this up" so the system gets restored.... with the customer details. Now we have not completed a Duty of Care!

There are many other reasons why this implementation is poor, and honestly scares me.. So to make this feature work we will have to develop other tools so it doesn't mess our business. PLEASE WHMCS if you want to know more about GDPR and the correct regs rather than your take on it reach out to me.

GDPR is more than just the right to be forgotten this is the smallest part of it. It is not just about marketing emails.

A customer can reach out and view and manage their data but there is some data that NEEDS to be kept and used for the continuation of the service.

photo
1

Hi Alex,

In the situations described, the right to erasure might not apply in order to comply with a legal obligation; eg. maintaining invoice and transaction records for several years per your tax authority's requirements.

Therefore you could set the data retention setting to trigger after the legal requirement to maintain invoice records has elapsed. In this way, you may satisfy both regulations.

photo
photo
1

For tax reasons we have to keep invoices for 10 years (including information on how the right VAT rate was decided). This 10 year period starts at January 1st in the year after the invoice was generated. Having an option to give a notice to an admin to manually do the deletion would also work I think. As that admin can verify the user can really be deleted (has the client still have to pay something? Can it be deleted from a (tax) law point of view?).

photo
1

Hello,

The legal obligation to keep invoices for 10 years, doesn't authorize you to keep the phone number and email address for the same period, as that is not considered to be legal data (legal data are name, address and VAT number). I suggest the following:

We should have a config option to choose the fields that will be erased from the database after 1st retention period (like 1 year after no activity), and a 2nd retention period (like after 10 years) that will erase all invoices of that customer.

We should be able to set what is erased and when, this will give more flexibility to WHMCS to adapt to each country.

photo
1

And also other conditions should be set. Eg don't do it when there are unpaid invoices or only do it when the account is marked closed of inactive. As long as there are unpaid invoices you might need to contact the client and have a valid reason to keep for example the phone number. So having many options for it is a good idea.

photo
photo
1

At the very least, before automated deletion, it seems like a complete no-brainer that both the client and the admin should be notified prior to deletion so that A) there is a chance for the client to change their mind or even get all their own data - and B) so that the admin has a chance to, for example, do a pdf export of invoices for tax purposes. The right of the user to be forgotten does not give the system the right to screw up our record keeping.