You are designing a data retention and compliance solution for an organization subject to GDPR and data residency requirements. What approach ensures compliance while maintaining data availability?

Correct answer: Implement regional data residency with encryption, access controls, and data lifecycle management policies

Option B is correct because GDPR and data residency requirements necessitate storing personal data only in approved geographic regions, combined with encryption at rest and in transit, strict access controls, and data lifecycle management policies (including retention schedules and deletion procedures) to ensure compliance while keeping data accessible for legitimate business purposes. Option A is incorrect because storing all data in a single region without considering residency rules for different data subjects or jurisdictions violates GDPR's requirements, as EU resident data may need to remain within the EU regardless of where headquarters is located. Option C is wrong because using unencrypted storage directly violates GDPR's Article 32 requirement for appropriate technical measures, including encryption, to protect personal data. Option D is incorrect because immediately archiving all personal data upon collection would prevent legitimate processing activities required for the purpose for which data was collected, violating GDPR's purpose limitation and data minimization principles.