I am trying to understand further data retention policies and how at a technical level they are implemented. I appreciate certain compliance regulated data may need to be retained and archived in line with legal requirements and/or compliance legislation. Likewise PII data can only be kept for the purposes it was collected in line with privacy legislation and no longer before it must be erased.
But I don’t quite understand technically how this is done. Say for example a database with personal records – if you never delete the records out of the online database does that constitute an effective retention policy, or if not why not?
I am sure the backups and tape backups come into this somehow but if the online copy of the DB contains all the records in the database going back years, then why do you also need to keep endless backup copies and tape copies as part of the retention policy? It would make sense if you are taking a snapshot of data each day and then records are deleted from the online copy of the DB, then it would make sense if you ever had to restore old historic data – but if all data ever collected sits in the same DB then I am a bit lost how the whole retention thing works and how it ties in with backups and archiving..