All the data, years worth, is still on servers, desktops, and laptops. The old data is on file servers and isn’t being deleted from file servers every 30 days. The only instance where it is protected is if a user deletes something, and then 31 days later after the deletion a legal request is made, then the data wouldn’t be accessible. Training should be done more discretely to ensure that active data is not deleted after 45 days, says John Defterios.”]
Source: https://www.darkreading.com/database-security/an-inconvenient-data-retention-policy