Exam CISSP topic 1 question 244 discussion

CISSP Official Study Guide pg 197 - "Some laws and regulations dictate the length of time that an organization should retain data, such as three years, seven years, or even indefinitely. Organizations have the responsibility of identifying laws and regulations that apply and complying with them. However, even in the absence of external requirements, an organization should still identify how long to retain data. "

So, it's important that the data owner should understand which legal requirements apply to the data they are managing and must comply with them, as non-compliance could result in significant fines and penalties. The data owner should consider the legal requirements before implementing a data retention policy and ensure that it is compliant with all relevant laws and regulations. Once legal requirements are considered, the data owner can consider other important factors such as storage, training and business requirements.

Always legal before business.

https://www.intradyn.com/data-retention-policy/#:~:text=Although%20there%E2%80%99s%20no%20one-size-fits-all%20approach%20to%20data%20retention,a%20data%20retention%20policy%3A%20Do%20your%20research%2C%20first. Do your research, first. Make sure you are aware of and understand all the regulations that apply to your business and any legal obligations before you get started. Determine what your business needs are. Although legal requirements come first, any data retention policies that you implement should also be designed in such a way that they streamline business-critical processes and promote efficiency. Make data retention policy development a team effort. In order to create a record retention policy that is truly comprehensive and represents the interests of your entire organization, you need input from multiple different voices, including your in-house legal counsel, finance department, accounting team and other various departmental managers and supervisors.