|
|
|
|
|
|
by alkonaut
2959 days ago
|
|
|
A good question. But that’s not how these things work. The law has to be self enforced or it’s useless - since as you say, how will small to medium businesses ever be caught violating? Megacorps comply because of mega fines. Small business comply because their owners or future buyers are a larger Corp who fears that their sub-subsidiary might be in violation, causing a future mega fine. So small businesses who care about the value of their company follow these rules. It’s almost exactly the same reason small business buy software licenses. It’s not of fear of fines but because otherwise they don’t look like a serious company. I question I have been wondering is how many companies will leave some violations such as data in backups - simply because removing it is too expensive so it’s a risk worth taking. I honestly haven’t understood how backup of data fits into the requirement to delete data of a certain age? |
|
|
I'll pick an example from my work. Data can be deleted from the active set, at which point it takes extra effort to retrieve it. (If you can't SELECT it anymore from the warm slaves, it's gone.) But as long as you can make a point-in-time-recovery from your backups, the data is still present in the inactive set. Using the inactive set requires, by definition, extra effort.
So you need to state that fact in the data protection/retention policy, AND put reasonable technical enforcement mechanisms ("controls") in place to ensure that backups are expired and fully deleted after a given retention period. The older your unexpired backups get, the less valuable they should become.