Question 26
Domain 2: Data Protection and Identity SecurityAn organization is designing a data retention policy for cloud-based data. What is the MOST important consideration when determining retention periods?
Correct answer: B
Explanation
Retention periods should be set by weighing "business needs, regulatory requirements, and storage costs" because a retention policy must preserve data long enough for operations and legal compliance without keeping it unnecessarily. Regulations may require specific retention or deletion timelines, while longer retention increases storage and management costs.
Why each option is right or wrong
A. Keeping all data indefinitely to ensure nothing is lost
B. Balancing business needs, regulatory requirements, and storage costs
Retention periods are typically set by reconciling three competing constraints: operational need to keep records available, legal/regulatory mandates that may require preservation or deletion on fixed timelines, and the cost of storing and managing data over time. In practice, laws and regulations can impose specific retention windows or minimums, so the policy cannot be based on convenience alone; it must also avoid unnecessary long-term storage that increases cost and risk.
C. Deleting all data after 30 days to minimize risk
D. Following the shortest retention period mentioned in any regulation