Question
How long is personal information retained? Which retention policy governs the data? Who enforces the retention policy in the cloud?
Context
Privacy laws in various countries place limitations on the ability of organizations to retain some types of personal information and each country has their own legal retention period. Thus, the control of the data retention needs to be adjustable to the jurisdiction under which the cloud service is operating. Additionally, in cloud scenarios, the governance of data storage (data citizenship) may be different to the governance of the data users;e.g. Asian customers using European data storage location.
Solution
To avoid a potential legal violation, an automatic module (or tool) should be used to control the data retention period. When the legally allowed retention period elapses, the data should be permanently erased from storage. Automatizing this process eases the management of data as well as application.
References
European data retention policy - ec.europa.eu
How long data can be rentented - ec.europa.eu