Data Retention and Disposal

This question asks whether you delete customer data when you no longer need it or when laws require deletion. It's about not hoarding information forever - keeping data only as long as necessary for business purposes or legal requirements, then securely destroying it. Think of it as cleaning out filing cabinets of old customer records you no longer need.

Keeping data too long multiplies your risk - every extra year of retained data increases breach impact by 20%. Proper retention policies reduce storage costs by 30-40% and demonstrate privacy maturity to auditors. Companies with clear retention schedules face smaller fines if breached, as regulators recognize risk reduction efforts. This is mandatory for many regulated industry contracts.

The biggest mistake is having a retention policy on paper but no automated systems to actually delete data on schedule. Companies also forget about data in backups, archives, and third-party systems, creating compliance gaps that regulators exploit during investigations.