Best Approach for Compliance
Question
Your company acquired a healthcare startup and must retain its customers' medical information for up to 4 more years, depending on when it was created.
Your corporate policy is to securely retain this data, and then delete it as soon as regulations allow.
Which approach should you take?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The approach that should be taken in this scenario is to store the data in Cloud Storage and use lifecycle management to delete files when they expire (Option C).
Option A is not recommended as Google Drive is not designed to securely store sensitive data, and manually deleting records can be error-prone and time-consuming.
Option B suggests anonymizing the data using the Cloud Data Loss Prevention API and storing it indefinitely. While anonymization can help protect privacy, it may not be sufficient to comply with data retention regulations. Additionally, retaining data indefinitely could be seen as unnecessary and can increase the risk of data breaches.
Option D suggests running a nightly batch script that deletes all expired data. While this can be a useful tool for automating the deletion of expired data, it may not be enough to ensure that all data is deleted as soon as regulations allow.
Option C is the best approach as it allows the data to be stored securely in Cloud Storage, while lifecycle management can automatically delete files when they expire based on a specified retention period. This ensures that the data is only retained for as long as necessary and then deleted as soon as possible, in compliance with regulations. Additionally, Cloud Storage provides advanced security features such as encryption at rest and in transit, access control, and audit logging, which can help protect the sensitive data.
