| Disposal policy ownership | Compliance | Maintain written disposal policies and procedures for consumer information and customer information. | Current policy, approval history, periodic review record |
| Information classification | Compliance and operations | Identify whether records contain consumer information, customer information, or sensitive customer information before disposal. | Data map, record inventory, disposal classification notes |
| Retention hold check | Compliance | Confirm no transfer-agent, tax, litigation, contract, regulatory, or other retention requirement requires continued preservation. | Retention review checklist, hold clearance, exception log |
| Paper record disposal | Operations | Shred, destroy, or otherwise dispose of paper records using reasonable measures that prevent unauthorized access or reconstruction. | Disposal log, vendor certificate, internal witness record |
| Electronic file disposal | Systems owner | Delete or sanitize files, exports, working copies, and local storage using methods appropriate to the system and risk. | Ticket, deletion log, storage-location checklist |
| Backup and archive handling | Systems owner | Confirm whether backups or archives contain covered information and document whether data is deleted, aged out, or retained under a documented retention schedule. | Backup inventory, retention schedule, exception approval |
| Device and media disposal | Operations and systems owner | Sanitize, destroy, or transfer devices and media only after covered information is removed or protected. | Asset-disposal ticket, wipe record, destruction certificate |
| Service-provider disposal | Vendor owner | Require approved service providers that handle covered information to dispose of it using reasonable measures and provide evidence when appropriate. | Contract term, vendor attestation, certificate of destruction |
| Disposal exception management | Compliance | Document when disposal is delayed because another law, hold, investigation, operational dependency, or vendor limitation requires retention. | Exception register, approval, next-review date |
| Recordkeeping | Compliance | Preserve disposal policies, procedures, evidence, exceptions, and review records for the applicable retention period. | Binder index, dated records, storage-location reference |